Secure storage systems and methods

ABSTRACT

Secure storage platforms and their application in secure temporary property storage applications are disclosed and comprise: secure locker systems; secure locker systems comprising emergency access; secure locker systems comprising collapsible lockable compartments; secure storage systems comprising chain of custody management, recording and authentication; redirected delivery including post-delivery redirected delivery, en route delivery and dispatch delivery services comprising chain of custody services; and secure property claim check and car valet systems. A secure storage platform uses a secure protocol to establish challenge code and verification code generators to provide short lived single use access authentication codes to enable secure access and custody management of secured and stored property.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application is a continuation of, and claims the benefit of,copending U.S. patent application Ser. No. 16/858,445, filed Apr. 24,2020 which is a continuation of, and claims the benefit of, U.S. patentapplication Ser. No. 16/446,594, filed Jun. 19, 2019 which is acontinuation in part of, and claims the benefit of, U.S. patentapplication Ser. No. 16/389,841, filed Apr. 19, 2019 which is acontinuation of, and claims the benefit of, U.S. patent application Ser.No. 16/117,583, filed Aug. 30, 2018, which claims the benefit of U.S.Provisional Application No. 62/552,423, filed Aug. 31, 2017, each ofwhich is hereby incorporated by reference in its entirety herein.

STATEMENT REGARDING FEDERALLY SPONSORED RESEARCH OR DEVELOPMENT

Not Applicable

THE NAMES OF THE PARTIES TO A JOINT RESEARCH AGREEMENT

Not Applicable

INCORPORATION-BY-REFERENCE OF MATERIAL SUBMITTED ON A COMPACT DISC OR ASA TEXT FILE VIA THE OFFICE ELECTRONIC FILING SYSTEM (EFS-WEB)

Not Applicable

BACKGROUND

The subject matter of this disclosure generally relates to systems andmethods for the securing and custody management of property in dedicatedand shared service environments such as locker rental services,temporary storage of delivered goods and packages, and checked itemssuch as luggage and coats and valeted vehicles.

There is a prevalent and increasing need for services which provide fortemporary securing of property. The carrying of personal property orproperty of a custodial responsibility, combined with activities whichmake it mandatory or desirable to temporarily divest oneself of suchproperty, or transfer custodial responsibility of such property is bothcommonplace and increasing. For example, the need for access toavailable secure lockers is increasing as safety policies placeincreasing restrictions on what can be brought into facilities and eventvenues. Prospective attendees at event venues in possession ofdisallowed items are routinely blocked from entry and are turned away tohopefully make suitable arrangements for secure temporary storage, andlacking timely success, may have to forgo the event all together. Thisleads to the significant inconveniencing of venue patrons causingsignificant loss of good will between venue proprietors and theirpatrons, thereby impacting venue popularity and revenues. Furthermore,the carrying of items which are optimally placed into temporarysafekeeping is commonplace and increasing as people increasingly carryvaluable items such as computer notebooks, electronic tablets, businessand personal documents and effects throughout a busy day wherein theymay visit facilities which increasingly restrict entry with one or morecarried items, or the carrying individual simply wants to temporarilyunburden themselves, such as at a facility, bar, restaurant or othersuch location, and not have to be concerned with maintaining vigilantwatch against theft, damage or loss.

Traveling readily amplifies the need or desire for temporary safekeepingof carried items, other business related or personal items, or itemswith which they may have a custodial responsibility. Preferably suchpersons are able to locate temporary secure storage or other safekeepingservices, such as secure rental lockers or some form of trustworthychecked storage services, such as hotel bag-check services, as theypursue their travel itinerary and activities. Of a similar nature tobag-check services are coat-check services. Also of similar nature arevalet services, where control of a vehicle is temporarily transferred bytransferring the keys for the vehicle to a valet attendant.

Another example of commonplace and increasing need for the temporarysecuring of property is that related to package delivery services,wherein a delivery service has custodial responsibility for propertyupon their taking possession thereof from a shipping entity until suchtime that it is acknowledged as received by a proper recipient.According to a Pitney Bowes Parcel Shipping Index Report, the growth ofe-commerce across all business segments in 13 global markets resulted inthe dramatic increase in parcel shipment volume of 48 percent over twoyears, where reported parcel volume of 44 billion parcels in 2014 grewto 65 billion in 2016. This dramatic increase in package delivery hasled to a dramatic increase in theft of packages. According to an articlepublished by USA Today, “Were your Amazon packages stolen? Porch piratesrun rampant this holiday season”, Dec. 13, 2018, 30 percent of Americanssay they've experienced such theft themselves and the Denver PoliceDepartment, which tracks package theft, has seen incidents rise everyyear since 2015. Additionally, with this increasing trend in packagedelivery, persons traveling are commonly and increasingly in situationswhere they preferably can receive and access delivered items atlocations away from home. For example, someone may wish to ideally havea package delivery redirected and conveniently accessible, such as in atemporary secure storage locker, while traveling en route.

BRIEF SUMMARY OF THE INVENTION

According to some possible and illustrative embodiments of the disclosedsubject matter, secure storage platforms and secure temporary storageapplications, are disclosed. Such secure temporary storage applicationsmay comprise, but are not limited to: secure locker systems; securelocker systems comprising emergency access; secure locker systemscomprising collapsible lockable compartments; secure storage systemscomprising chain of custody services and authentication servicesthereof; secure redirected and dispatch delivery comprising chain ofcustody services and secure storage; and secure property claim check andcar valet systems.

Secure Locker System Comprising a Secure Storage Platform

A secure storage platform in conjunction with a secure locker system andmethod may comprise a server based system comprising one or moreservers, software services and data services, and may be a cloud basedsystem. A secure locker system may further comprise a plurality oflockable compartments. Lockable compartments comprise a lockable doorand a controllable electromechanical lock, which may also be referred toherein simply as a lock. Electromechanical locks may be intelligentlocks comprising a lock access controller, or may be simple lockscontrolled by a lock controller board comprising a lock accesscontroller. Lockable compartments may be organized in groupings invarying numbers of units and of varying styles of construction andconfiguration, such as varying unit size and varying style of lock. Aplurality of lockable compartments organized in a grouping may bereferred to as a locker bank. Generally, locker banks may be located invarious geographic locations and do not require a particular geographicrelationship to one another or to a server based system. In anembodiment a locker bank may additionally comprise a kiosk. A kiosk maycomprise a touchscreen, a keypad and card reader.

A secure locker system may also comprise one or more portable wirelessdevices useable by users for interacting with the secure locker systemto rent and access a lockable compartment or access an otherwiselockable compartment assigned thereto, or perform other relatedinteractions such as search for available lockable compartments,terminate a locker rental and the like. Portable wireless devices can besmartphones, and may also be smartwatches, cell phones, tablets, laptopsand other devices which provide a user interface and can becommunicatively connected to the server based system, and lock accesscontrollers of locks of lockable compartments. Portable wireless devicesmay comprise at least one type of wireless communications capability,such as, a cellular internet communications, herein also referred to asa wide area network (WAN) capability; a short range communicationscapability, such as Bluetooth communications; and a wireless local areanetwork (WLAN) capability, such as an IEEE 802.11 based WLAN (Wi-Fi);wherein, many devices, such as many smartphone portable wirelessdevices, may comprise all three of a WAN, short range and WLANcommunications.

A secure locker system may additionally comprise one or more operatordevices, such as a computer or a tablet, which may be used by personnelengaged in managing the operations of the secure locker system toperform such functions as review the volume of locker rentals over time,review advanced rental bookings, review the current number of availablelockers, review the anticipated or predicted shortages of availablelockers, review actual and projected rental revenues, review and reportissues, review and issue maintenance requests, and the like. Operatordevices may additionally be laptop computers, smartphones and otherportable electronic devices, and be used for locker installation andmaintenance operations of lockable compartments, locker bankinstallations, customer assistance, and the like. Operator devices maycomprise wireless communications capability, such as, a cellularinternet (WAN) communications capability, a wireless local area network(WLAN) capability and a short range communications capability, such asBluetooth communications, wherein many devices, such as many smartphonebased operator devices, may comprise all three of a WAN, WLAN and shortrange communications.

A challenge code generator of a server based system of a secure lockersystem may enable a portable wireless device for secure access to alockable compartment by providing the portable wireless device with asingle use access authentication code for use as a challenge code. Asingle use access authentication challenge code is applicable to asingle access transaction. A single use access authentication code isalso independently generated by a verification code generator of a lockaccess controller for a lock to be accessed for use as a correspondingverification code. The use of access authentication codes that may onlybe used once ensures that a disclosure and/or malicious capture of anycode limits the exposure of unauthorized access to a single access eventof a specific lockable compartment. In an embodiment, a challenge codemay be generated and provided by a server based system to a requestingportable wireless device when the requesting portable wireless device issufficiently close enough to establish short range communications with alock access controller of a lockable compartment to be accessed. Thislimits the useful lifetime of an access authentication code, since theuser of the requesting portable wireless device is in close proximityand presumably readying to open the lockable compartment, and the codemay therefore be used as soon as it is received by the portable wirelessdevice. In an embodiment, a challenge code and independently generatedverification code may be generated upon the initiation of an accessrequest presented to a lock access controller, upon which a time window,such as a one or five second time window, for use of the verificationand challenge codes may be established, wherein if the codes are notused in conjunction with an access event within the time window, thecodes expire and are no longer useable.

A secure protocol may be established for independent generation ofsingle use access authentication codes by a server based system and lockaccess controllers for each lock of a secure locker system. A secureprotocol may use encryption, such as, the Advanced Encryption Standard(AES) published by the National Institute of Standards and Technology(NIST). Code derivation encryption keys, also referred to herein as codederivation keys or derivation keys, may be established such that theyare solely known to a server based system and a lock access controllerwhich may reside within a lock or a controller board controlling thelock. When a lock is to be made operable in secure locker system, it canbe initialized with a code derivation key and an input code which residein each of: a) the verification code generator of the lock accesscontroller for use in generating verification codes, and b) a lockaccess table maintained by the challenge code generator of the serverbased system for use in generating challenge codes. Upon a first accessof a newly initialized lock, a first generated single use accessauthentication code is generated by the server based system for use as achallenge code, and by the lock access controller for use as averification code, by encrypting the input code with the code derivationkey independently comprised therein. A second access code and furthersubsequent access codes are generated by encrypting the last generatedaccess code as the input code with the code derivation key.

An operator device and a server based system can exchange public keys ofrespectively comprised public/private key pairs and can also use digitalcertificates issued from trusted third party certificate authorities tomutually authenticate each other in order to engage in a lockinitialization process. The public keys may be used to securely exchangeindependently generated derivation key component values and input codecomponent values, using an asymmetric encryption such as theRivest-Shammir-Adleman (RSA) asymmetric encryption. The component valuesmay then be assembled within an operator device (and loaded into a lockaccess controller therefrom) and a server based system to create ashared code derivation key and a shared input code needed to complete aninitialization process. In an embodiment, a lock access controller maycomprise asymmetric encryption and an operator device may provide thelock access controller with a server based system public key, such thata lock derivation key component and a lock input code component may begenerated and encrypted within the lock access controller. In such anembodiment, an unencrypted lock derivation key component and anunencrypted lock input code component need not ever reside outside ofthe lock access controller. Furthermore, the assembly of componentvalues needed for the derivation key and the input code comprised by thelock access controller may be performed therein.

An operator device may initialize a lock by first putting the lockaccess controller controlling the lock into a service mode by presentingto the lock access controller a valid challenge code and valid secureservice mode token for the lock provided by the server based system. Tocreate a secure service mode token, the server based system can encrypta value that is shared between the server based system and the lockaccess controller other than the input code. A sequence number may be anadditional shared value between a lock access controller and a serverbased system and may be used to maintain a synchronization of codegeneration cycles. Additionally, a sequence number can used as a servicemode token and be encrypted using a code derivation key and thereby beused as a secure service mode token used to establish a service mode. Aserver based system may restrict provision of secure service mode tokensto authenticated operator devices to prevent a fraudulent use of userportable wireless devices (which may have access to challenge codes) tofraudulently establish a service mode of a lock access controller. Whena lock is first initialized for use in a secure locker system, thederivation key, input code and sequence number used to put the lockaccess controller controlling the lock into service mode may be defaultvalues or initial values established during manufacturing of the lockaccess controller.

Upon successful entry into service mode, the initialization processgenerates a new shared secret derivation key and a new shared secretinput code by the independent generation, encryption and secure mutualexchange of encrypted derivation key components and encrypted input codecomponents by the server based system and the operator device or thelock access controller. Once components are exchanged, the receivedencrypted components may be decrypted and combined with the locallygenerated components to assemble the new shared code derivation key andthe new shared input code. By using independently generated and mutuallyexchanged derivation key components and input code components which arepassed under respective public/private key pairs, a considerable levelof additional security protection is achieved beyond security which maybe achieved through a sending of a complete derivation key or input codeusing only transport level security protocols, such as TLS, to securethe key or code. Namely, both secret private keys and the cypher text ofall component parts must be respectively obtained and intercepted inorder to assemble the derivation key and input code. Furthermore, anadditional measure of device authentication is realized as both theserver based system and the operator device must exercise a private keyknown only to them to decrypt a received component in order for it to beput into use.

In an embodiment, a lockable compartment may comprise a keypad, and auser having a current rental session, or otherwise having an assigneduse of the lockable compartment may wish to store their portablewireless device therein. The user may submit a request to assign a userPIN (request to assign PIN) and select a PIN on their portable wirelessdevice. An assign user pin submission by a portable wireless device withthe selected PIN in combination with a successful challenge code maythen, for the duration of the present rental session or assignment,cause the lock access controller for the lock of the lockablecompartment to accept a correct selected PIN entered via the keypad andopen the lock in response thereof. If a user suspects their selected PINmay have been compromised, they can submit another assign user PINrequest and select another PIN on their portable wireless device, orsubmit a request to cancel and deactivate their current access PIN,should they determine they no longer want or need the capability ofaccess via the keypad. Upon an access in conjunction with a terminationof a rental session or assignment, the server based system may canceland deactivate the access PIN.

In an embodiment, a locker bank may comprise a kiosk which may comprisea touchscreen user interface, an electronic payment keypad, which mayaccept secure entry of a debit card PIN number, and a chip and magneticstripe card reader. The kiosk may be used by users to rent and accesslockable compartments. The kiosk may be used when a user does not have aportable wireless device or their portable wireless device is otherwisenot available, for example, the battery is fully depleted. A kiosk cancommunicate with a server based system and receive a challenge code foraccess to a lockable compartment and can interact with lock accesscontrollers in a similar fashion as a portable wireless device. A userhaving a user account with a secure locker system can use a kiosk to loginto their account to facilitate the rental process, or can otherwiseuse the system as a guest user. A user having a current rental sessionwith a lockable compartment can access it using a portable wirelessdevice or kiosk by authenticating themselves to a server based system byhaving signed into their user account of a secure locker systemapplication, and selecting an open locker selection. Alternatively, auser having a user PIN, previously established through an assign userPIN command, may enter the PIN into the kiosk or a keypad of theirrented or assigned lockable compartment, should it be so equipped.

Access events may be logged and recorded in a server based system of asecure locker system. Access events may comprise interactions with aserver based system, portable wireless devices, operator devices andlock access controllers of intelligent locks or lock access controllersof lock controller boards controlling simple locks. Lockable compartmentaccess records can be processed from one or more access events andcomprise a complete account of events for an access of a lockablecompartment, or failed attempt thereof.

Secure Locker System Rental and Access Application

A secure locker system may comprise a rental and access application fordownload onto portable wireless devices and thereby permit users tointeract with the secure locker system to rent and access a lockablecompartment or access an otherwise assigned lockable compartment, andperform other related interactions such as search for available lockablecompartments, review current rentals, terminate a locker rental, and thelike. Lockable compartments may comprise a barcode, such as a quickresponse barcode, or QR Code, such that users may use their portablewireless devices to quickly access information from a server basedsystem related to the rental of a lockable compartment, download arental application therefrom if not already loaded, and establish anaccount therewith if not already established. If a user already has theapplication downloaded, the application may indicate an availabilitystatus for the scanned lockable compartment, or a nearby lockablecompartment available for rental. Once logged into their account, theuser can be presented with a home view, where the user can choose from aplurality of actions, such as, a select/scan a locker action which maypresent a rental screen, map view action which may present screens tolocate a locker, current rentals action which may present a screen oftheir current rentals, transaction history action which may present areview of their transaction history, account settings action which maypresent screens to review and update account settings and a logoutaction which may exit the application.

Similar to a secure locker system rental and access application usableby users to interact with a secure locker system, a secure locker systemoperations application can be provided and be usable by operators of asecure locker system to interact therewith. A secure locker operationsapplication can be downloaded onto an operator device and be associatedwith an operator account comprised by server based system. An operatorcan be authenticated by logging into their account similar to a userlogging into an account associated with a secure locker rental andaccess application. A secure locker operations application can be usedto initialize locks and process maintenance and service requests, amongother operations related actions.

Secure Locker System Comprising Emergency Access

An operator of a secure locker system may operate lockable compartmentslocated at a plurality of locations and venues, and may be associatedwith a plurality of location operators and venue proprietors. A securelocker system operator may choose to additionally provide a localizedredundancy of functions and services remotely provided by a server basedsystem. In this manner, should the remotely provided functions andservices of the server based system become unavailable to operatelockable compartments of a location or venue, a local server basedemergency access appliance or system may be enabled as failover servicessuch that patrons of affected lockable compartments have continued useand access thereof. In an embodiment, a secure locker system mayadditionally comprise one or more appliances or server based emergencyaccess systems, each of which may comprise one or more servers, softwareservices and data services. Each appliance or server based emergencyaccess system, also referred to as an emergency access system, may belocated at or in proximity of a location or venue comprising a securelocker operation, and may be associated therewith and provideuninterrupted locker access operations in the event that the serverbased system is not functional, is not accessible or is otherwiseunavailable to support access of lockable compartments associatedtherewith.

Emergency challenge codes and emergency verification codes can be usedin an emergency lock access process, and can be generated usingemergency access input codes and emergency access derivation keys,wherein an emergency challenge code generator of an emergency accesssystem generates an emergency challenge code and a verification codegenerator of a lock access controller generates an emergencyverification code. When locks supported by both a server based systemand an emergency access system are initialized for use in a securelocker system, both sets of keys and input codes (one set for use with aserver based system and one set for use with an emergency access system)can be established in a combined initialization process. An operatordevice initializing locks in a combined initialization process exchangespublic keys of respective public/private key pairs with both a serverbased system and an emergency access system such that the componentparts for each set of derivation keys and input codes can be securelyexchanged. An emergency sequence number is an additional shared valuecomprised by a lock access controller and an emergency access system,and may be used to maintain a synchronization of emergency codegeneration cycles therebetween.

In normal operations, when a server based system is available, activerental session records, also called active rental contracts for lockablecompartments also serviced by an emergency access system arecommunicated by the server based system to the appropriate emergencyaccess system. As such, should a server based system become unavailable,emergency based systems can continue to provide access per the currentlyactive rental contracts within their system. When a portable wirelessdevice establishes a rental contract for a lockable compartment, aserver based system can check to see if the contracted compartment isassociated with an emergency access system and, if it is, send a recordof the contract thereto. Additionally, the server based system can sendfailover URLs for API services of the associated emergency access systemto the portable wireless device and a secure locker app running thereonupon entering into the rental contract. Should the API services of theserver based system then become unavailable, the portable wirelessdevice and secure locker system rental and access app running thereon,may then utilize the failover URLs for API services of the associatedemergency access system for emergency access transactions until suchtime that the server based system becomes available.

Each emergency access system can maintain emergency access event recordsand emergency lockable compartment access records. When the server basedsystem returns to an available status, records from an emergency accesssystem can be forwarded thereto. Any deferred processing, such assubmission of payment transactions, that was deferred until the serverbased system became available can then be processed. A server basedsystem can audit an emergency access system by processing records fromthe emergency access system, and can also request records comprisingemergency sequence numbers for each lock within the lock emergencyaccess system to validate consistency between reported emergency accessrecords and lock emergency sequence numbers and thereby validate thecompleteness of reported records and activity. Emergency access systemsmay be implemented such that they require an administrator of the securelocker system to enable their use. In this way and in addition to auditprocedures, an operator of a secure locker system can ensure thatemergency access is only used when it is appropriate.

While a primary benefit of emergency access systems is the continuedservicing of existing rental contracts despite the unavailability of aserver based system, in an embodiment, emergency access systems mayadditionally provide services to enable the initiation of new rentalcontracts despite the unavailability of a server based system. When aserver based system returns to an available status, rental contractsinitiated within the emergency access system can be forwarded forrecording by the server based system and any further handling orrequired processing thereof, such as ongoing handling of active rentalcontracts, closure of rental contracts and submission of paymenttransactions that were deferred until the server based system becameavailable.

In an embodiment, an emergency access device, similar to an operatordevice can be provided. An emergency access device may have limitedfunctionality in comparison to an operator device. For example, anemergency access device may not be capable of initializing a lock. Aprimary use of an emergency access device may be to access a lockablecompartment when prior attempts using a user's portable wireless devicehave failed. An operator of an emergency access device may be requiredto receive and enter a permission code from a secure locker systemoperator to enable an emergency access command to access a lockablecompartment using the emergency access system. The provision of apermission code for such emergency access can be restricted and requireprocedures to ensure only a legitimate user is provided such emergencyaccess.

Secure Locker System with Collapsible Lockable Compartments and SecureStorage Platform

Demand for secure temporary storage can be closely related to events andcan vary depending on factors such as weather, the day of the week, timeof day, event location, event popularity, and many other factors. Forexample, a sporting event on a weekday, starting near the end of theworkday, and near a busy metropolitan area will likely be attended bymany people wanting to store business and other workday related items.Other events are temporary in nature and permanent or semi-permanentsecure storage lockers may not be practical. Given a fluctuation indemand and a temporary nature of many events, secure storage lockersthat may be easily and compactly transported to a location when needed,and easily set up and taken down to be once again transported can bedesirable.

In an embodiment, secure locker systems can be configured for use with,and comprise a portable, collapsible locker system comprising acollapsible and foldable lockable compartment and a collapsible andfoldable base on which one or more collapsible lockable compartments maybe placed in a stacked manner thereby forming a vertical locker stackassembly. Vertical stack assemblies may be situated with other verticalstacks to produce a locker bank. The collapsible lockable compartmentsand collapsible bases may be easily and compactly transported to alocation when needed, and easily set up and taken down to be once againtransported in order to address temporary and fluctuating demandsassociated with temporary secure storage. Furthermore, temporary securestorage arrangements can be flexibly configured to comprise individuallockers, stack assemblies and locker banks.

Collapsible lockers and bases may comprise fastening tabs and fasteningpins and when assembled in adjacent rows and columns may form joiningpoints wherein fastening tabs of three lockers (or lockers and bases) ofadjacent rows and columns may be joined together with a common fasteningpin, and in doing so result in two adjacent rows and two adjacentcolumns being secured together. Each locker of an upper row of lockersmay be joined with a top panel which may be secured thereto by passing alocking bar through fastening tabs of joining points wherein a lockingbar may comprise an end formed to prevent passage of the bar fullythrough an end joining point, and hole which may pass through a joiningpoint of another end. Once the hole of the locking bar has passedthrough the other end joining point, a lock hasp may be passedtherethrough and a lock secured thereto, such that the locking bar maybe locked in place, thereby securing the locker bank. The locking barmay additionally be passed through brackets mounted to a supporting wallin order to secure the locker bank to a supporting wall.

Chain of Custody with Intermediary Secure Storage Transfer Entities

In a chain of custody, each entity acting in the chain from originationto final receipt, including each intermediary, transfers control ofproperty under custody as appropriate with their position in the chain.Property transfers between chain origination and chain termination,where an intended recipient receives custody of property, may becaptured and securely recorded in order to securely document and a chainof custody, wherein each participating entity is identified andauthenticated, and their participation accurately captured and securelyrecorded.

Embodiments of secure locker systems may comprise a chain of custodyservice. A chain of custody service may be implemented to provide avaried scope of coverage. An embodiment may comprise a chain of custodyservice for transfers comprising secure temporary storage as aparticipating entity. When a secure lockable compartment as disclosedherein is used as an intermediary custody transfer entity, it can beidentified and authenticated, and participate in a transfer that can beaccurately captured and securely recorded. Furthermore, when a securelockable compartment is used as an intermediary custody transfer entity,it may be particularly beneficial to accurately capture and securelyrecord the transfer, since without recorded documentation of a transfer,disputes arising from a property loss may not be fully investigated. Assuch, an operator of a secure locker system may wish to offer a securestorage platform comprising a secure chain of custody service. In anembodiment, a secure locker system may comprise a secure chain ofcustody service for transfers where a secure lockable compartment isused as an intermediary custody transfer entity. In an embodiment, asecure locker system may comprise a secure chain of custody service forsome or all transfers in a chain of custody from originating entity toend-recipient. In an embodiment, an originating entity or other entitiesin a chain of custody may specify a release authority, wherein a releaseauthority is a specification which may specify requirements and actionsnecessary to authorize a custodian to release property of custody in acustody transfer transaction, and transfer release authority obligationsto a receiving entity. As such, where secure storage is a participatingentity in a custody transfer transaction, a release authority mayspecify obligations of a storage platform and lockable compartmentthereof, when receiving custody, and requirements and actions for astorage platform to execute in releasing custody from a lockablecompartment to a receiving entity. Release authority specifications maycomprise, but are not limited to, mechanisms for authentication of areceiving entity, such as specifying a secure locker access applicationand account by which to authenticate a receiving party; mechanisms forproviding an access token to a receiving entity, such as specifying anemail address or phone number to which to send an access token;requiring one or more release mechanisms; and requiring multifactorauthentication.

A secure locker system with secure storage platform as disclosed hereinmay provide secure lockable compartments that may be identified by alock ID (and location ID and locker ID) and require a cryptographicallysecure single use access authentication code for access. As such, theprovision of a single use access authentication code to an authenticatedentity, and the use by that authenticated entity of that single useaccess authentication code to access a lockable compartment in order toexecute a custody transfer of property, can be accurately captured.

A secure storage platform may comprise a chain of custody serviceproviding a custody transfer reporting service. In an embodiment, achain of custody service of a secure storage platform may distributecertified custody transfer records, and further comprise a custodyauthentication ledger service, whereby an authenticity and integrity ofa certified transfer record may be verified using a certificateretrieved from the authentication ledger. A ledger entry comprising anidentifier of the certified transfer record, also referred to as atransfer ID, and a certificate thereof, may be created and written to acustody transfer authentication ledger. The certified transfer recordmay be distributed to interested parties, such as parties of the subjecttransfer or a previous or planned entity such as an originator orplanned recipient. A secure chain of custody authentication service canthen be queried by holders of certified transfer records to verify theauthenticity and integrity thereof.

In an embodiment, an authentication ledger can be a blockchain ledgerand may be maintained by multiple entities, such as entities havingregular participation in chain of custody transfers, for example,package delivery services, leading online retailers and a secure lockersystem operator. Multiple participating entities can operate blockchainnodes may enforce a consensus agreement therefrom as a requirement foradding a block of ledger entries to the blockchain. A blockchain somaintained can be immutable and certificates thereon in the form ofleger entries can be relied on for validating certified chain of custodyrecords accordingly. Furthermore, a blockchain so maintained retains aconsensus capability and comprises redundancy and continued availabilitywhen greater than 50% of the nodes are operable and available.

A custody transfer record may be certified by generating and associatinga record certificate to the record. A record certificate can be acryptographic hash of record fields comprised by the record (other thanthe certificate itself), such as an SHA-3 compliant hash, as publishedby the National Institute of Standards and Technology (NIST) in FederalInformation Processing Standards Publication 202 (FIPS PUB 202), SHA-3Standard: Permutation-Based Hash and Extendable-Output Functions, August2015. A cryptographic hash creates a digital fingerprint of the recordfields for use as a certificate for inclusion in a record certificationfield. Any alteration of the record fields results in an unpredictablechange in a calculated certificate, and the potential to modify a recordand preserve a certificate value is highly improbable. As such, a recordmay be authenticated using a certificate obtained from theauthentication ledger for a subsequent calculation of a hash of thecustody transfer record, wherein should a matching hash result, therecord is determined to be authentic and the integrity of theinformation therein is verified.

In conjunction with a custody transfer to a lockable compartment, suchas by a package delivery courier, an access request may be made using aportable wireless device to open the lockable compartment, wherein averification code generator of a lock access controller generates averification code and a challenge code generator of a server basedsystem generates a challenge code and sends it to the portable wirelessdevice. The portable wireless device in turn sends an open lock commandand the challenge code to the lock access controller, and if the codesmatch (and an access timer is still active, as will be described later),the lock is opened and access to the lockable compartment is provided.Upon successful access, the portable wireless device may relay a releaseauthority to a server based system, wherein the release authority mayspecify the generation of a random value for use as an access token byan intended end recipient, and an email address to which a notificationcomprising the token is to be sent. In such a case, the server basedsystem then encrypts the random access token using a derivation key forthe lock of the lockable compartment and sends it in an open-on-tokencommand to the lock. In a subsequent custody transfer, the end-recipientmay access the lockable compartment with the proper entry of the accesstoken in a keypad comprised by the lockable compartment.

In an embodiment, a lockable compartment may comprise a door statussensor, such that an opening and closing of a lockable compartment doorcan be observed by a lock access controller. Additional access eventsassociated with a change of door status in a custody transfer and theirtime stamps can be reported to a server based system. In an embodiment,a lockable compartment may comprise a camera system comprising anillumination source, such that the contents of a lockable compartmentmay be recorded prior to an opening of a lock thereof and after aclosing of the door, and resulting images and their time stamps can bereported to a server based system. A courier transferring custody of apackage comprising a readable code comprising a tracking number can beinstructed to orient the package in a lockable compartment comprising acamera such that the readable code indicating a package tracking numberis visible to the camera system will be visible in an image capturedafter the door is closed. In an embodiment, visual assistance showing acurrent view of a camera system can be displayed on a portable wirelessdevice of a courier to assist in a satisfactory placement of a package.A chain of custody service of a secure storage platform may create anddistribute a certified transfer record comprising a detailed account ofan associated custody transfer comprising images documenting atransferred property. A ledger entry comprising a transfer ID and acertificate for the certified transfer record can be created and writtento a custody authentication ledger maintained by a chain of custodyauthentication service of the secure storage platform.

Post-Delivery Redirected Delivery, En Route Delivery and Other FlexibleDelivery and Dispatch Services

In various embodiments, a secure locker system comprising chain ofcustody services can provide various secure delivery and dispatchservices comprising post-delivery redirected delivery, en route andimpromptu delivery and dispatch services and other flexible delivery anddispatch services. For example, an intended recipient may be notifiedthat a package has been delivered to a lockable compartment at theircondominium residence while they are away from home. Yet they wouldbenefit from receiving the package prior to their planned return home.In an embodiment, they can authorize and schedule a transfer of custodyto a delivery service and have the package securely collected from thelockable compartment and delivered to their present location, plannedfuture location or securely delivered to a lockable compartment in aconvenient proximity thereto. As such, a user schedules a post-deliveryredirected delivery, wherein the user engages a service and updates orotherwise establishes a release authority with a secure storage platformwhich specifies the engaged service as a receiving entity for a transferof custody from the secure lockable compartment comprising the package,and further specifies the user as the end-recipient, thereby permittingthe engaged service to complete the post-delivery redirected delivery.

In an embodiment, an intended recipient may be traveling and may have apackage delivery synchronized with their travel itinerary such thatdelivery is conveniently made to a secure lockable compartmentaccessible en route. As such, a user engages a delivery service, and ifthe package has yet to ship from an originator, the user creates a newrelease authority which specifies the engaged service as a receivingentity for a transfer of custody from the originator, the user as theend-recipient of an en route delivery, and an en route deliverylocation. If the package has already shipped, a current releaseauthority is updated to permit the current courier to change thedelivery location to an en route location with the user as theend-recipient. Regardless of which case is used, namely, a new orupdated release authority, the release authority permits the engagedservice to make an en route delivery.

In an embodiment, a person may dispatch a package (in a planneddispatch) for delivery while traveling by accessing a lockablecompartment, transferring custody of the package thereto and schedulinga transfer of custody to a delivery service. In an embodiment, a personmay have temporarily secured property in a lockable compartment, such asin a lockable compartment at a sporting event or at a concert venue, andlater have their items delivered to them (in an impromptu dispatch)rather than return to the lockable compartment themselves. For animpromptu dispatch delivery, the user engages a service for the dispatchdelivery and creates or updates a release authority permitting thelockable compartment to release custody to a specified dispatch courierfor delivery to a recipient specified by and which typically is theuser. For a planned dispatch delivery, custody is transferred from theuser as an originator to a lockable compartment and a release authorityis created permitting the lockable compartment to release custody to aspecified dispatch courier for delivery to a recipient specified by andwhich may be the user. Regardless of which case is used, namely, a newlycreated or updated release authority, the release authority permits theengaged service to collect the property from the lockable compartmentand make the dispatch delivery.

Secure Claim Check and Valet Services

In an embodiment, a secure storage platform can secure property in aclaim check based service that may be supervised by a proximateattending operation, such as hotel bag-check services. Of a similarnature to bag-check services are coat-check services. Also of similarnature are valet services, where control of a vehicle is temporarilytransferred by transferring the keys for the vehicle to a valetattendant. In a claim check application and in a vehicle valet servicecomprising a secure storage platform and chain of custody service, atransfer of custody of checked property and keys (and indirectly valetedvehicles), and a return transfer thereof, can be securely captured andrecorded. In an embodiment, theft of a checked or valeted item such as achecked bag of luggage or a set of car keys (and associated vehicle) canbe detected and may be tracked for a potential recovery thereof.

A secure storage platform comprising a claim check service may comprisea plurality of electronic lockable tags, also referred to as e-tags.Generally, a claim check service may comprise a quantity of e-tagscommensurate for an upper potential quantity of concurrently checkeditems. E-tags may comprise a lock access controller comprising averification code generator, code derivation key and last access codefor generating a verification code for comparison to a receivedchallenge code, whereupon a matching verification code and challengecode, the lock access controller opens a lock thereon. Dissimilar to alockable compartment application, e-tags may be secured to property whenassigned custody thereof, rather than securing access to property as inthe case of lockable compartment. A user of a portable wireless devicecomprising a secure storage application or an operator of an operatordevice may scan a readable code of an e-tag when checking property withthe claim check service. For example, a user checking a bag may bepresented with an e-tag and scan a code thereon which then assigns thee-tag for use by the user to check property thereof. Alternatively, anoperator can register the user within the system using an operatordevice and scan the code to assign the e-tag to the user. In analternative embodiment, an alternative method for assignment can beused, such as a claim check operator can reference a user account, suchas a conference registration or a hotel registration and link theassignment thereto. Alternatively, a server based system may make aselection and assignment, and flash an indicator, such as an LEDindicator comprised by the e-tag to alert an operator of the assignment.After an e-tag is assigned, a release authority specifying a release tothe user as an end-recipient is created and a custody transfer isinitiated. A device that was used in the assignment of the e-tag, suchas an operator device or user portable wireless device can connect to aserver based system and a lock access controller of the e-tag torespectively obtain and present a challenge code for comparison to anindependently generated verification code and open the e-tag lock hasp.The e-tag is secured to the property being checked by closing a lockhasp thereof attaching it to a feature of the property such that it issecured thereto. For example, the hasp may be closed such that the e-tagis secured to a handle, or feature thereof, of a luggage bag. Or in thecase of a valet service, the hasp may be closed such that the e-tag issecured to a key fob remote or key to a vehicle. Once an e-tag issecured to property, custody may be transferred to the e-tag, wherein areleasing entity is the user and the receiving entity is the e-tag.

To claim checked property, an e-tag may be scanned by a user of aportable wireless device claiming their property checked with the claimcheck service using a secure storage app and account recognized by aserver based system and running on their portable wireless device.Alternatively the user may select a function of the app to showcurrently checked items to retrieve the e-tag based claim check. If anoperator device or server based system was used to assign the e-tag, itmay alternatively be used to scan or otherwise retrieve the e-tag afterthe identity of the user is verified by an operator of the checkedstorage service. Once an e-tag is determined to be the e-tag withcustody of the property of interest, server based system, via portablewireless device or the operator device may indicate the e-tag byactuating an indicator. The user is authenticated, either through use oftheir device and secure storage app and account running thereon, orthrough identity information entered or acknowledged by the operator onan operator device. Upon authentication, custody may transferred back tothe user per a release authority, wherein the releasing entity is thee-tag and the receiving entity is the user. After custody has beentransferred to the user, the e-tag lock may be opened using a challengecode generated by a challenge code generator of a server based systemand communicated via a user or operator device to a lock accesscontroller of the e-tag and the e-tag is removed from the checkedproperty.

In an embodiment, an e-tag may further comprise a tracking devicecomprising a location or trackable feature, such as a global positioningsystem (GPS) capability, and long range communications capability, suchas a low-power wide-area network (LPWAN), like ultra-narrowband (UNB).The tracking device may periodically report its current position to areceiver which in turn reports the location of the e-tag to the serverbased system. As such, if property in custody of, and to which an e-tagis attached, is stolen, it may be tracked and potentially recovered.Furthermore, a permitted location or proximate location for an e-tag maybe established, such that if an e-tag reports a violating location, analert can be issued by a server based system indicating a potentialtheft of the property in custody of the e-tag.

In an embodiment, a lower cost implementation comprising simplenon-electronic printed tags (non-e-tags) having readable codes can beused, wherein the readable codes are read by portable wireless devicesto assign non-e-tags and transfer custody thereto and therefrom.

The possible and illustrative embodiments disclosed herein should not beconstrued as an exhaustive list. Rather the various embodimentspresented serve to illustrate only some of the various ways to practicethe invention and many additional combinations of features andconfigurations are possible within the scope of the invention disclosedherein.

BRIEF DESCRIPTION OF THE SEVERAL VIEWS OF THE DRAWINGS

The accompanying drawings, which are included to provide a furtherunderstanding of the disclosed subject matter, are incorporated in andconstitute a part of this specification. The drawings also depictpossible and illustrative embodiments of the disclosed subject matterand together with the detailed description serve to explain theprinciples of the disclosed subject matter.

FIG. 1A is an example illustration depicting a system diagram of anexample embodiment of a secure locker system.

FIG. 1B is an example illustration depicting a diagram of examplecomponents of a device 10.

FIG. 2A is an example illustration depicting a lock access table.

FIG. 2B is an example illustration depicting an access event table.

FIG. 2C is an example illustration depicting a lockable compartmentaccess table.

FIG. 3A is an example illustration depicting a portion of the systemdiagram of a secure locker system of FIG. 1A.

FIG. 3B is an example illustration depicting a portion to a portion ofthe system diagram of a secure locker system of FIG. 1A

FIG. 3C is an example illustration depicting a portion of the systemdiagram of a secure locker system of FIG. 1A.

FIG. 3D is an example illustration depicting a portion to a portion ofthe system diagram of a secure locker system of FIG. 1A

FIG. 4A is an example illustration depicting a flowchart representationof a lock initialization process.

FIG. 4B is an example illustration depicting a flowchart representationof a process to open a lock of a lockable compartment for opening andaccess thereof.

FIG. 5 is an example illustration depicting a flow diagramrepresentation of a secure locker rental application.

FIG. 6A is an example illustration depicting a home view screen of asecure locker rental application.

FIG. 6B is an example illustration depicting a map/locate screen of asecure locker rental application.

FIG. 6C is an example illustration depicting a selection screen of asecure locker rental application.

FIG. 6D is an example illustration depicting a selection screen of asecure locker rental application.

FIG. 6E is an example illustration depicting a rent screen of a securelocker rental application.

FIG. 6F is an example illustration depicting a rental confirmationscreen of a secure locker rental application.

FIG. 6G is an example illustration depicting a current rentals screen ofa secure locker rental application.

FIG. 6H is an example illustration depicting a confirmation screen of anend rental session function of a secure locker rental application.

FIG. 7A is an example illustration depicting an unfolded collapsible andfoldable lockable compartment.

FIG. 7B is an example illustration depicting a partially foldedcollapsible and foldable lockable compartment.

FIG. 7C is an example illustration depicting a folded collapsible andfoldable lockable compartment.

FIG. 7D is an example illustration depicting an unfolded collapsible andfoldable base.

FIG. 7E is an example illustration depicting a partially foldedcollapsible and foldable base.

FIG. 7F is an example illustration depicting a folded collapsible andfoldable base.

FIG. 7G is an example illustration depicting a locker stack assembly.

FIG. 7H is an example illustration depicting a top panel for the stackassembly of FIG. 7G.

FIG. 7I is an example illustration depicting a partially foldedcollapsible and foldable lockable compartment comprising an additionalfastening tab.

FIG. 7J is an example illustration depicting a folded collapsible andfoldable lockable compartment comprising an additional fastening tab.

FIG. 7K is an example illustration depicting a partially foldedcollapsible and foldable base comprising an additional fastening tab.

FIG. 7L is an example illustration depicting a folded collapsible andfoldable base comprising an additional fastening tab.

FIG. 7M is an example illustration depicting a partially assembledlocker bank of collapsible and foldable lockers and bases.

FIG. 7N is an example illustration depicting a top panel comprising anadditional fastening tab.

FIG. 7O is an example illustration depicting a joining point of threelockers.

FIG. 7P is an example illustration depicting a joining point of twobases and one locker.

FIG. 7Q is an example illustration depicting a joining point of twolockers and two top panels.

FIG. 7R is an example illustration depicting an assembled locker bank ofcollapsible and foldable lockers and bases comprising a locking bar.

FIG. 8A is an example illustration depicting a chain of custodybeginning with an originator, ending with a recipient and comprising twointermediary custodians.

FIG. 8B is an example illustration depicting process for processing andrecording a custody transfer and updating a custody authenticationledger.

FIG. 8C is an example illustration depicting combining a chain ofcustody of FIG. 8A and a process for processing a custody transfer is ofFIG. 8B illustrated for a package delivery scenario.

FIG. 8D is an example illustration depicting a system that can be usedwith a process of FIG. 8C.

FIG. 8E is an example illustration of a process for maintaining chain ofcustody records and an authentication ledger.

FIG. 9A is an example illustration depicting a custody event table.

FIG. 9B is an example illustration depicting a custody transfer table.

FIG. 9C is an example illustration depicting a custody authenticationledger table.

FIG. 9D is an example illustration depicting a portion of a blockchaincustody authentication ledger.

FIG. 10A is an example illustration depicting a post-delivery redirecteddelivery process.

FIG. 10B is an example illustration depicting an en route deliveryprocess.

FIG. 10C is an example illustration depicting an impromptu and planneddispatched delivery process.

FIG. 11A is an example illustration of a secure storage systemcomprising a claim check service.

FIG. 11B is an example illustration of a process to check property usingthe system of FIG. 11A.

FIG. 11C is an example illustration of a process to claim checkedproperty using the system of FIG. 11A.

DETAILED DESCRIPTION OF THE INVENTION

Detailed example embodiments of the present invention are disclosedherein; however, it is to be understood that the disclosed embodimentsare merely illustrative of the invention that may be embodied in variousforms. In addition, each of the examples given in connection with thevarious embodiments of the invention is intended to be illustrative, andnot restrictive.

The following detailed example embodiments refer to the accompanyingdrawings. The same reference number may appear in multiple drawings andwhen appearing in multiple drawings will identify the same or similarelements. For brevity, a reference number and its referenced elementwill be disclosed in accompanying text herein and in relation to a firstappearance in the drawings, but may not be explicitly referred to inaccompanying text again when appearing in subsequent drawings.

This disclosure provides a detailed description of secure storageplatforms and their application in secure temporary property storageapplications. Such secure temporary property storage applications maycomprise, but are not limited to: secure locker systems; secure lockersystems comprising emergency access; secure locker systems comprisingcollapsible lockable compartments; secure storage systems comprisingchain of custody management, recording and authentication; redirecteddelivery including post-delivery redirected delivery, en route deliveryand dispatch delivery services comprising chain of custody services; andsecure property claim check and car valet systems. A secure storageplatform will initially be disclosed in conjunction with an exampleillustration of a secure locker system and method.

Secure Locker System Comprising a Secure Storage Platform

FIG. 1A is an example illustration depicting a system diagram of anexample embodiment of a secure locker system 100. Secure locker system100 comprises a server based system 111 comprising one or more servers,software services and data services, and may be a cloud based system.Server based system 111 also comprises a communications link 181 to acommunications network 180 and is thereby accessible by a plurality ofdevices and systems. In an embodiment, secure locker system 100 mayadditionally comprise one or more server based emergency access systems119 a, 119 b and 119 c, each of which may comprise one or more servers,software services and data services; may be a cloud based system or maybe located at or in proximity of a venue comprising a secure lockeroperation; and may provide uninterrupted locker access operations in theevent that server based system 111 is not functional, not accessible orotherwise unavailable to support needed services. Server based emergencyaccess systems 119 a, 119 b and 119 c further comprise communicationslinks 189 a, 189 b and 189 c, respectively, to communications network180 and are thereby accessible by a plurality of devices and systems.

Secure locker system 100 further comprises a plurality of lockablecompartments, such as lockable compartments 120 a, 120 b, 120 c, 120 d,120 e and 120 f (120 a-120 f), which may also be referred to herein assecure storage lockers, secure lockers, storage lockers, lockers orunits. Lockable compartments may be organized in groupings in varyingnumbers of units and of varying styles of construction andconfiguration, such as varying unit size and varying style of lock. Aplurality of lockable compartments organized in a grouping may bereferred to herein as a bank of lockable compartments, secure lockerbank or locker bank. The example illustration of FIG. 1A depicts threelocker banks 130, 132 and 134 comprising eight, eight and six lockablecompartments, respectively. Generally, locker banks may be located invarious geographic locations and do not require a particular geographicrelationship to one another or to server based system 111.

In the example illustration of FIG. 1A, secure locker bank 130 compriseseight lockable compartments including lockable compartments 120 a and120 b. Lockable compartment 120 a comprises a door 121 a and acontrollable electromechanical lock 122 a which may be mounted to andgenerally hidden by door 121 a, and is represented in the exampleillustration of FIG. 1A with an outline referenced by reference number122 a. A controllable electromechanical locks may be referred to hereinsimply as lock. Lock 122 a may comprise a status indicator 126 a, suchas an LED for a visual status indicator and may also comprise an audioindicator, such as a tone generator. Door 121 a further comprises ahandle 123 a. Similarly lockable compartment 120 b comprises a door 121b comprising a handle 123 b and a lock 122 b which may be mounted to andgenerally hidden by door 121 b and may comprise a status indicator 126b. Door 121 b further comprises a keypad 124 b which may be an assembledpart of lock 122 b or is otherwise operably connected to lock 122 b.Locker bank 130 further comprises a communications link 184 tocommunications network 180 and thereby may communicate with server basedsystem 111.

In the example illustration of FIG. 1A, secure locker bank 132 compriseseight lockable compartments including lockable compartments 120 c and120 d. Similar to lockable compartment 120 a, lockable compartment 120 ccomprises a door 121 c comprising a handle 123 c and a lock 122 c whichmay be mounted to and generally hidden by door 121 c and may comprise astatus indicator 126 c. In the example given, the handle 123 c is anassembled part of or otherwise operably connected to lock 122 c and isrotatable such that it is operable to retract a bolt (not shown)securing the closure of door 121 c when so enabled for opening. Similarto lockable compartment 120 c, lockable compartment 120 d comprises adoor 121 d comprising a handle 123 d and a lock 122 d which may bemounted to and generally hidden by door 121 d and may comprise a statusindicator 126 d. Handle 123 d is an assembled part of or otherwiseoperably connected to lock 122 d and is rotatable such that it isoperable to retract a bolt (not shown) securing the closure of door 121d when so enabled for opening. Door 121 d further comprises a keypad 124d which may be an assembled part of lock 122 d or is otherwise operablyconnected to lock 122 d. Locker bank 132 further comprises kiosk 140 anda communications link 185 to communications network 180 and is therebyaccessible to server based system 111 which is also connected to network180. Kiosk 140 comprises a touchscreen 142, a keypad 144 and a cardreader 146.

In the example illustration of FIG. 1A, secure locker bank 134 comprisessix lockable compartments including lockable compartments 120 e and 120f. Lockable compartment 120 e is similar to lockable compartment 120 aand comprises a door 121 e comprising a handle 123 e and a lock 122 ewhich may be mounted to and generally hidden by door 121 e and maycomprise a status indicator 126 e. Lockable compartment 120 f is similarto lockable compartment 120 b and comprises a door 121 f comprising ahandle 123 f and a lock 122 f which may be mounted to and generallyhidden by door 121 f and may comprise a status indicator 126 f Door 121f further comprises a keypad 124 f which may be an assembled part oflock 122 f or is otherwise operably connected to lock 122 f. Locker bank134 does not comprise a communications link to communications network180 as do locker banks 130 and 132, which have communications links 184and 185, respectively.

Secure locker system 100 may also comprise one or more portable wirelessdevices, as shown in the example illustration of FIG. 1A and depicted byportable wireless devices 150, 152 and 154. Portable wireless devices150, 152 and 154 are useable by users for interacting with the securelocker system 100 to rent and access a lockable compartment or access anotherwise assigned lockable compartment, or perform other relatedinteractions such as search for available lockable compartments,terminate a locker rental and the like. Portable wireless devices 150,152 and 154 can be smartphones, and may also be smartwatches, cellphones, tablets, laptops and other devices which provide a userinterface and can be communicatively connected to server based system111, and locks, such as locks 122 a-122 f Portable wireless devices 150,152 and 154 may comprise at least one type of wireless communicationscapability such as a cellular internet communications, herein alsoreferred to as a wide area network (WAN) capability, a short rangecommunications capability, such as Bluetooth communications, and awireless local area network (WLAN) capability such as an IEEE 802.11based WLAN (Wi-Fi), and many devices, such as many smartphone portablewireless devices, may comprise all three of a WAN, short range and WLANcommunications. In the example illustration of FIG. 1A, portablewireless devices 150, 152 and 154 are each depicted comprising twocommunications links. Links 190, 192 and 194 of devices 150, 152 and154, respectively, are represented as lightning bolt symbols and areshort range links. Links 186, 187 and 188 of devices 150, 152 and 154,respectively, are represented as solid lines and may be WAN links, WLANlinks or both.

Secure locker system 100 may additionally comprise one or more operatordevices, such as a computer 112 or a tablet 113, which comprise acommunications link 182 or 183, respectively. Operator devices 112 and113 are used by personnel engaged in managing the operations of securelocker system 100, and be used to perform such functions as review thevolume of locker rentals over time, review advanced rental bookings,review the current number of available lockers, review the anticipatedor predicted shortages of available lockers, review actual and projectedrental revenues, review and report issues, review and issue maintenancerequests, and the like. Operator devices 112 and 113 may additionally belaptop computers, smartphones and other electronic devices, and be usedfor locker installation and maintenance operations of lockablecompartments and locker bank installations. Operator devices 112 and 113may additionally comprise wireless communications capability such as acellular internet (WAN) communications capability and a wireless localarea network (WLAN) capability such as an IEEE 802.11 based WLAN(Wi-Fi), which are illustrated in FIG. 1A by communications links 182,for device 112, and 183, for device 113. Additionally, operator devices112 and 113 may comprise a short range communications capability, suchas Bluetooth communications, as depicted by links, 196 and 198,respectively.

FIG. 1B is an example illustration depicting a diagram of examplecomponents of a device 10. Device 10 may correspond to server basedsystem 111, operator devices 112 and 113, kiosk 140, portable wirelessdevices 150, 152 and 154, and emergency access systems 119 a, 119 b and119 c. Device 10 may also correspond to lock access controllers whichmay be comprised by intelligent electromechanical locks or controllerboards controlling simple electromechanical locks, not explicitlydepicted in FIG. 1A. As depicted in FIG. 1B, device 10 may comprise abus 11, a processor 12, a memory 13, a storage component 14, an inputcomponent 15, an output component 16, and a communication interface 17.In some embodiments, server based system 111, operator devices 112 and113, kiosk 140, portable wireless devices 150, 152 and 154, emergencyaccess systems 119 a, 119 b and 119 c and/or lock access controllers mayinclude one or more devices 10 and/or one or more components of device10.

Bus 11 includes a component that permits communication among thecomponents of device 10. Processor 12 may be implemented in hardware,firmware, or a combination of hardware and firmware. Processor 12includes a processor (e.g., a central processing unit (CPU), a graphicsprocessing unit (GPU), and/or an accelerated processing unit (APU)), amicroprocessor, a microcontroller, and/or any processing component(e.g., a field-programmable gate array (FPGA) and/or anapplication-specific integrated circuit (ASIC)) that interprets and/orexecutes instructions. In some implementations, processor 12 includesone or more processors capable of being programmed to perform afunction. Memory 13 includes a random access memory (RAM), a read onlymemory (ROM), and/or another type of dynamic or static storage device(e.g., a flash memory, a magnetic memory, and/or an optical memory) thatstores information and/or instructions for use by processor 12.

Storage component 14 stores information and/or software related to theoperation and use of device 10. For example, storage component 14 mayinclude a hard disk (e.g., a magnetic disk, an optical disk, amagneto-optic disk, and/or a solid state disk), a compact disc (CD), adigital versatile disc (DVD), a floppy disk, a cartridge, a magnetictape, and/or another type of non-transitory computer-readable medium,along with a corresponding drive.

Input component 15 includes a component that permits device 10 toreceive information, such as via user input (e.g., a touch screendisplay, a keyboard, a keypad, a mouse, a button, a switch, and/or amicrophone). Additionally, or alternatively, input component 15 mayinclude a sensor for sensing information (e.g., a global positioningsystem (GPS) component, an accelerometer, a gyroscope, and/or anactuator). Output component 16 includes a component that provides outputinformation from device 10 (e.g., a display, a speaker, and/or one ormore light-emitting diodes (LEDs)).

Communication interface 17 includes a transceiver-like component (e.g.,a transceiver and/or a separate receiver and transmitter) that enablesdevice 10 to communicate with other devices, such as via a wiredconnection, a wireless connection, or a combination of wired andwireless connections. Communication interface 17 may permit device 10 toreceive information from another device and/or provide information toanother device. For example, communication interface 17 may include anEthernet interface, an optical interface, a coaxial interface, aninfrared interface, a radio frequency (RF) interface, a universal serialbus (USB) interface, a Wi-Fi interface, a cellular network interface, orthe like.

Device 10 may perform one or more processes described herein. Device 10may perform these processes in response to processor 12 executingsoftware instructions stored by a non-transitory computer-readablemedium, such as memory 13 and/or storage component 14. Acomputer-readable medium is defined herein as a non-transitory memorydevice. A memory device includes memory space within a single physicalstorage device or memory space spread across multiple physical storagedevices. In some implementations, a memory device may be cloud-based,partially cloud-based, or not cloud-based.

Software instructions may be read into memory 13 and/or storagecomponent 14 from another computer-readable medium or from anotherdevice via communication interface 17. When executed, softwareinstructions stored in memory 13 and/or storage component 14 may causeprocessor 12 to perform one or more processes described herein.Additionally, or alternatively, hardwired circuitry may be used in placeof or in combination with software instructions to perform one or moreprocesses described herein. Thus, implementations described herein arenot limited to any specific combination of hardware circuitry andsoftware.

The number and arrangement of components shown in FIG. 1B are providedas an example. In practice, device 10 may include additional components,fewer components, different components, or differently arrangedcomponents than those shown in FIG. 1B. Additionally, or alternatively,a set of components (e.g., one or more components) of device 10 mayperform one or more functions described as being performed by anotherset of components of device 10.

Returning to FIG. 1A, server based system 111 may enable a portablewireless device for secure access to a lockable compartment by providingthe portable wireless device with a single use access authenticationcode for use as a challenge code. A single use access authenticationchallenge code is unique to a single access transaction. A single useaccess authentication code is also independently generated by a lockaccess controller controlling the lock of the lockable compartment to beaccessed for use as a corresponding verification code. The use of accessauthentication codes that may only be used once ensures that adisclosure and malicious capture of any code limits the exposure ofunauthorized access to a single access event of a specific lockablecompartment. In an embodiment, a challenge code may only be generatedand provided by server based system 111 to a requesting portablewireless device when the requesting portable wireless device is in closeproximity to the lockable compartment to be accessed. As such, at thetime the code is generated, the user of the requesting portable wirelessdevice is presumably readying to open the lockable compartment and thechallenge code has a substantially limited useful lifetime which maycommonly be less than a second. In an embodiment, a challenge code andindependently generated verification code may only be generated upon theinitiation of an access request presented lock access controller, uponwhich, a time window for use of the verification and challenge codes maybe established, wherein if the codes are not used in conjunction with anaccess event within the time window, the codes expire and are no longeruseable.

A secure protocol may be established for independent generation ofsingle use access authentication codes by server based system 111 foreach lock. A secure protocol may use encryption such as the AdvancedEncryption Standard (AES) published by the National Institute ofStandards and Technology (NIST). Code derivation encryption keys, alsoreferred to herein as code derivation keys or derivation keys, may beestablished such that they are solely known to the server based system111 and a lock access controller which may reside within a lock or acontroller board controlling one or more locks. When a lock is to bemade operable in secure locker system 100, it can be initialized with aunique code derivation key and an input code which reside in each of: a)the lock access controller controlling the lock for use in generatingverification codes by a verification code generator comprised by thelock access controller, wherein the lock access controller comprises aprocessor programmed to generate verification codes, and b) a lockaccess table maintained by server based system 111 for use in generatingchallenge codes by a challenge code generator comprised by server basedsystem 111, wherein server based system 111 comprises a processorprogrammed to generate challenge codes. Upon a first access of a newlyinitialized lock, a first generated single use access authenticationcode is generated by both server based system 111, for use as achallenge code, and the lock access controller controlling the accesslocked, for use as a verification code, by independently encrypting theinput code with the code derivation key independently comprised therein.A second access code and further subsequent access codes are generatedby encrypting the last generated access code with the code derivationkey. As such, a next single use access authentication code may berepresented by the following equation:

Code(n)=E[Code(n−1),CDK]

Where:

-   -   Code (n) is the next single use access authentication code        following the last generated code,    -   Code (n−1) is the last generated single use access        authentication code,    -   E is a suitable encryption method such as AES and comprises as        inputs the last generated access authentication code, Code        (n−1), as the input code and a code derivation key, CDK, and    -   CDK is the code derivation key which is used to encrypt the last        generated single use access authentication code, Code (n−1) as        the input code, to create the next code, Code (n).

The process for initializing a lock, such as locks 122 a-122 f, for usein secure locker system 100 and the process for enabling a portablewireless device, such as devices 150, 152 and 154, for accessing alockable compartment, such as compartments 120 a-120 f and opening alock 122 a-122 f thereof, will be described in more detail inconjunction with FIG. 4A and FIG. 4B, respectively, and further inconjunction with and following an overview of FIG. 2A and FIG. 3A. FIG.2A is an example illustration depicting a lock access table 200 whichmay be comprised by server based system 111. Lock access table 200comprises a location ID column 210, a locker ID column 212, a lock IDcolumn 214, an input code column 216, a derivation key column 218 and asequence number column 220. In the example illustration, lock accesstable 200 comprises a plurality of records 201 through 206, whereinrecords 201 and 202 are associated with lockers 120 a and 120 b, andlocks 122 a and 122 b, of locker bank 130; records 203 and 204 areassociated with lockers 120 c and 120 d, and locks 122 c and 122 d, oflocker bank 132; and records 205 and 206 are associated with lockers 120e and 120 f, and locks 122 e and 122 f, of locker bank 134. FIG. 3A isan example illustration depicting a portion of secure locker system 100of FIG. 1A, comprising lock 122 e of locker bank 134, portable wirelessdevice 154, operator device 113, server based system 111 and network180. FIG. 4A is an example illustration depicting a flowchartrepresentation of a lock initialization process 400. FIG. 4B is anexample illustration depicting a flowchart representation of a process440 to open a lock of a lockable compartment for opening and accessthereof.

Referring to process 400 of FIG. 4A in conjunction with FIG. 2A and FIG.3A, an operator device 113 is connected with server based system 111over network 180 and communications links 183 and 181. An operator ofoperator device 113 initiates process 400 to initialize lock 122 e whichbegins in step 402. Operator device 113 and server based system 111exchange or have already exchanged public keys of respectively comprisedpublic/private key pairs and can also use digital certificates issuedfrom trusted third party certificate authorities to mutuallyauthenticate each other in order to engage in lock initializationprocess 400. The public keys may be used to securely exchangeindependently generated derivation key component values and input codecomponent values, using an asymmetric encryption such as theRivest-Shammir-Adleman (RSA) asymmetric encryption. The component valuesare then individually assembled within operator device 113 and serverbased system 111 to create a shared code derivation key and shared inputcode needed for initialization process 400. In an embodiment, lockaccess controller 128 e (FIG. 3A) of lock 122 e comprises asymmetricencryption and operator device 113 provides lock access controller 128 ewith the server based system 111 public key, such that derivation keyand input code components values may be generated and encrypted withinlock access controller 128 e. In such an embodiment, an unencrypted lockderivation key component and unencrypted input code component needs notreside outside of lock access controller 128 e, thereby eliminating theability to intercept these values in an unencrypted (clear text) formoutside of lock access controller 128 e.

The relationship between exchanged code derivation key component values,public/private key pairs and the assembled shared code derivation key isshown in Table 1 below. For brevity, the operator device 113 or lockaccess controller 128 e generated components can be referred to as lockcode derivation key component, or lock key component, and lock inputcode component, and the server based system 111 generated components canbe referred to as system code derivation key component, or system keycomponent, and system input code component.

TABLE 1 Secure Exchange of Code Derivation Key Components for Shared KeyGeneration Operator Device or Operation Lock Access Controller ServerBased System Randomly Generate LoDKComp SyDKComp Key Component EncryptKey E [LoDKComp, SyPuK] E [SyDKComp, OpPuK] Component Decrypt Received D[SyDKComp, OpPrK] D [LoDKComp, SyPrK] Key Component Generate/Assemble A[LoDKComp, SyDKComp] A [LoDKComp, SyDKComp] Key

Where:

-   -   LoDKComp is the lock key component,    -   LoDKComp is the encrypted lock key component,    -   SyDKComp is the system key component,    -   SyDKComp is the encrypted system key component,    -   OpPuK is the operator device public key,    -   OpPrK is the operator device private key,    -   SyPuK is the server based system public key, and    -   SyPrK is the server based system private key.        The relationship between exchanged input code component values,        public/private key pairs and the assembled shared input code is        shown in Table 2 below.

TABLE 2 Secure Exchange of Input Code Components for Shared Input CodeGeneration Operator Device or Operation Lock Access Controller ServerBased System Randomly Generate LoICComp SyICComp Input Code Comp.Encrypt Input E [LoICComp, SyPuK] E [SyICComp, OpPuK] Code ComponentDecrypt Received D [SyICComp, OpPrK] D [LoICComp, SyPrK] Input CodeComp. Assemble A [LoICComp, SyICComp] A [LoICComp, SyICComp] Input Code

Where:

-   -   LoICComp is the lock input code component,    -   LoICComp is the encrypted lock input code component,    -   SyICComp is the system input code component,    -   SyICComp is the encrypted system input code component,    -   OpPuK is the operator device public key,    -   OpPrK is the operator device private key,    -   SyPuK is the server based system public key, and    -   SyPrK is the server based system private key.

In step 404 operator device 113 attempts to establish a secureconnection 198 (FIG. 3A) with lock 122 e using a secure communicationprotocol, for example, a Bluetooth security level 4, security mode 2secure connection, as described in NIST Special Publication 800-121,Revision 2, published May 2017. In step 406, once secure connection 198is established, the process moves to step 408, wherein operator device113 issues a service mode command to lock 122 e. This command can resultin multiple process steps not depicted in FIG. 4A, such as, indicating,via communications links 183 and 181 and network 180, a service moderequest to server based system 111 to put lock 122 e into a servicemode, and receiving in response a challenge code and an encryptedsequence number as a secure service mode token, wherein the encryptedsequence number is encrypted using the code derivation key. Referring tothe example illustration of lock access table 200 of FIG. 2A, to preparethis response comprising a challenge code and encrypted sequence number,server based system 111 retrieves the input code, derivation key andsequence number for lock 122 e from record 205. For locks not previouslyinitialized and put into use, these values may be based on keys, codesand sequence numbers created during a lock access controller productionprocess, and may be unique or default values. Generally, in addition toits use as a service mode token used to establish a service mode inlock, a sequence number can be used to maintain synchronization betweenserver based system 111 and a lock access controller, and can alsoapproximate or equal the number of actual access cycles of a lock if thesequence number is initially set to zero during manufacturing.Maintaining a record of lock access cycles can be useful for service,maintenance and reliability procedures and analysis of locks over theirservice lifetime. Server based system 111 then encrypts the input code,which may simply be a default input code created during manufacturing,using the derivation key to generate a challenge code needed for thepending service mode command. Server based system 111 encrypts thesequence number using the derivation key to generate an encryptedsequence number which is also needed as a secure token for the pendingservice mode command. As will be seen more clearly later, restrictingprovision of an encrypted sequence number for use by an authenticatedoperator device to invoke a lock service mode, prevents a rogue devicespoofing as a user device from invoking a lock service mode armed solelywith a challenge code. Server based system 111 then responds to operatordevice 113 with the required challenge code and encrypted sequencenumber. Operator device 113 then issues to lock 122 e via short rangeconnection 198 the service command comprising the challenge code andencrypted sequence number. Lock access controller 128 e of lock 122 emaintains data corresponding to record 205 comprising an input code,derivation key and sequence number, and independent of server basedsystem 111 generates a verification code and encrypted sequence number(or alternatively decrypts the received encrypted sequence number). Instep 410, if the verification code matches the challenge code and thereceived encrypted sequence number matches the lock generated encryptedsequence number (or alternatively the decrypted received sequence numbermatches the lock sequence number), the lock successfully enters servicemode and the lock opens, wherein a lock bolt 125 e retracts and anindicator 126 e may indicate a successful entry into service mode (e.g.,flashing a green color and/or sounding a brief tone). If in step 410,the verification code and challenge code do not match, or the receivedencrypted sequence number and lock generated encrypted sequence numberdo not match (or alternatively the decrypted received sequence numberdoes not match the lock sequence number), then the service mode commandfails, indicator 126 e may indicate a failed entry into service mode(e.g., flashing a red color and/or sounding a long tone), and in step424, the process reports the failure to server based system 111 and endsin a failed initialize lock process in step 426.

Upon successful entry into service mode in step 410, the initializationprocess generates a new shared secret derivation key and a new sharedsecret input code by the independent generation, encryption and securemutual exchange of encrypted key components and encrypted input codecomponents by server based system 111 and the operator device 113 orlock access controller 128 e as will now be described. In step 412,operator device 113 or lock access controller 218 e generates theencrypted lock key component, LoDKComp, per Table 1 above, and theencrypted lock input code component, LoICComp, per Table 2 above, andsends them to server based system 111. For explanatory purposes, anembodiment where lock access controller 128 e generates the componentswill be described. Operator device 113 sends the server based systempublic key, SyPuK, to lock access controller 128 e. Lock accesscontroller 128 e using a pseudo random number generator generates a lockkey component, LoDKComp, and a lock input code component, LoICComp. Thenusing SyPuK, lock access controller 128 e encrypts the componentsthereby generating LoDKComp and LoICComp which it sends to operatordevice 113 for secure communication to server based system 111. Serverbased system 111 may then decrypt these components using SyPrK, theserver based system 111 private key, and reserve them for final assemblyof the new shared code derivation key and new shared input code for lock122 e.

In step 414, server based system 111 generates the encrypted system keycomponent, SyDKComp, per Table 1 above, and the encrypted lock inputcode component, SyICComp, per Table 2 above, and sends them to operatordevice 113 or lock access controller 218 e. Server based system 111using a pseudo random number generator generates a system key component,SyDKComp, and a system input code component, SyICComp. Then using theoperator device public key, OpPuK, server based system 111 encrypts thecomponents thereby generating SyDKComp and SyICComp which it sends tooperator device 113. Server based system 111 may now in step 416assemble the new shared code derivation key per Table 1 above from thecomponent parts, A [LoDKComp, SyDKComp], and the new shared input codeper Table 2 above from the component parts, A [LoICComp, SyICComp], andload them into the derivation key and input code of record 205 of lockaccess table 200. Operator device 113 receives and then decryptsSyDKComp and SyICComp using OpPrK and sends the resulting SyDKComp andSyICComp to lock access controller 128 e. In step 418, lock accesscontroller 122 e may now assemble and store therein the new shared codederivation key from the component parts, A [LoDKComp, SyDKComp], and thenew shared input code from the component parts, A [LoICComp, SyICComp],for use in future service and access requests.

In step 420 operator device 113 issues a test lock command to verify thenewly generated derivation key and input code are operable and that thelock opens properly by executing an access locker command, which will bedescribed later herein in conjunction with FIG. 4B, and may also runother lock diagnostics, such as check a battery status or verify amemory checksum. If the lock does not open properly or certaindiagnostic tests fail then the initialization process fails and process400 proceeds to step 424. In step 424 the process reports the failure toserver based system 111 and in step 426 ends in a failed initialize lockprocess. Note that some diagnostic test failures, may be resolved, forexample, a battery may be replaced, after which the diagnostic test andinitialization process may then pass. If in step 422 the lock opens andthe diagnostics test pass, then process 400 proceeds to step 428 whereinthe successful initialization of lock 122 e is reported to server basedsystem 111 and initialize lock process 400 ends in step 430. Note thatthe operator device 113 may also prompt the user to execute a check listof other lockable compartment 120 e (FIG. 1A) tests and assessments,such as an assessment of whether the locker door 121 e (FIG. 1A) movesfreely, locker interior is clean and free of debris, etc., and ifappropriate based on the results of the results of the tests andassessments, allow or disallow lockable compartment 120 e to be put intoservice.

By using independently generated and mutually exchanged derivation keycomponents and input code components which are passed under respectivepublic/private key pairs, a considerable level of additional securityprotection is achieved beyond security which may be achieved through asending of a complete derivation key or input code using only transportlevel security protocols, such as TLS, to secure the key or code.Namely, both secret private keys and the cypher text of all componentparts must be respectively obtained and intercepted in order to assemblethe derivation key and input code. Furthermore, an additional point ofdevice authentication is realized as both server based system 111 andoperator device 113 must exercise a private key known only to them todecrypt a received component in order for it to ultimately be put intouse.

Referring now to FIG. 4B, FIG. 4B is an example illustration depicting aflowchart representation of a process 440 to open a lock of a lockablecompartment for opening and access thereof. FIG. 4B will be discussed inconjunction with FIG. 2A and FIG. 3B. FIG. 3B is an example illustrationdepicting a similar portion of secure locker system 100 of FIG. 1A asshown in FIG. 3A, but comprising a lock controller board 174 controllinglocks 162 e and 162 f Lock controller board 174 comprises lock accesscontroller 176 and lock interfaces 175 e and 175 f for controlling lockunits 162 e and 162 f, respectively. A lock controller board such ascontroller board 174 may be connected to and control a plurality oflocks units comprised by a locker bank, wherein wiring harnesses connectelectrical power and signals to actuate lock bolts, such as wiringharnesses 175 e and 175 f, lock bolts 165 e and 165 f, and controlindicators 166 e and 166 f of locks 162 e and 162 f As such, lockcontroller board driven locks 162 e and 162 f may be referred to ascontroller board driven locks, simple locks or dumb locks, and locks 122a-122 f comprising lock access controllers may be referred to asintelligent locks or smart locks. Process 440 of FIG. 4B is applicableto opening both a lockable compartment comprising an intelligent lockand a lockable compartment comprising a controller board driven lock.

Open lockable compartment process 440 begins in step 442. As will bedisclosed in more detail later herein, process 440 may be initiated by auser of a portable wireless device 154 in conjunction with a securelocker software app downloaded onto portable wireless device 154,wherein the user selects an open locker selection in step 444. In step446, the portable wireless device 154 checks to see if it is logicallyconnected to lock 162 e, which, in the example illustration of FIG. 3B,is driven by controller board 174, and as such, the physical connection,albeit a wireless connection, is made to controller board 174, via shortrange link 194. Once connected, in step 448, portable wireless device154, sends an open lock request to server based system 111 viacommunication links 188 and 181 and network 180, and sends an initiateaccess command to lock access controller 176. The initiate accesscommand prompts lock access controller 176 in step 450 to start a lockaccess timer, such as a one second or five second timer, which may beused to limit the usable lifetimes of generated single use accessauthentication codes, namely, the usable lifetimes of a challenge codeand a verification code of the current lock access attempt. Further instep 450, lock access controller 176 retrieves the derivation key andinput code for lock 162 e and generates the verification code, per thesingle use access authentication code equation disclosed earlier andrestated below for convenience:

Code(n)=E[Code(n−1),CDK]

Where:

-   -   Code (n) is the next single use access authentication code        following the last generated code,    -   Code (n−1) is the last generated single use access        authentication code,    -   E is a suitable encryption method, such as AES, and comprises as        inputs the last generated access authentication code, Code (n−1)        as the input code, and a code derivation key, CDK, and    -   CDK is the code derivation key which is used to encrypt the last        generated single use access authentication code, Code (n−1) as        the input code, to create the next code, Code (n).

Additionally in step 450, lock access controller 176 updates the inputcode with the newly generated verification code for lock 162 e andincrements the sequence number for lock 162 e. In step 452, server basedsystem 111 retrieves the derivation key and input code from record 205(which corresponds to lock 162 e) of table 200 and generates thechallenge code, per the above access code equation, and sends thechallenge code to portable wireless device 154. Additionally in step452, server based system 111 updates the input code with the newlygenerated challenge code and increments the sequence for record 205 oftable 200. In step 454, portable wireless device 154 sends via shortrange link 194 an open lock command and the challenge code to controllerboard 174 comprising lock access controller 176 for lock 162 e. In step456, lock access controller 176 compares the received challenge code tothe generated verification code. In step 458, if the challenge code andverification code are not equal or the access timer started in step 450has expired, the process proceeds to step 460, wherein lock accesscontroller 176 logs and reports to server based system 111 via portablewireless device 154 that the lock access transaction failed, and process440 ends in step 462.

In an embodiment, in step 452, a sequence number of record 205 of table200 may be included with the challenge code from server based system111, and a similarly maintained sequence number of lock accesscontroller 176 for lock 162 e may be used to determine an out ofsequence condition between the generation of challenge codes by serverbased system 111 and the respective generation of verification codes bylock access controller 176 for lock 162 e. If in step 456, lock accesscontroller 176 comprises a sequence number reporting a number of fewercode generation cycles it can “cycle” verification codes until it evensup the sequence numbers to resolve the discrepancy and potentiallyachieve a matching of the challenge code and verification code. If instep 456 lock access controller 176 comprises a sequence number for lock162 e reporting a number of greater code generations it can requestserver based system 111, via portable wireless device 154, “cycle”challenge codes until it evens up the sequence numbers to resolve thediscrepancy and potentially provide a successful challenge code. It isnoted that a similar cycle and even up process with regard to sequencenumbers may be used in step 410 of the example lock initializationprocess 400 of FIG. 4A, wherein if the verification code does not matchthe challenge code, the received encrypted sequence number is decryptedto assess a discrepancy between a sequence number of record 205 of table200 of server based system 111 and a sequence number for lock accesscontroller 126 e of FIG. 3A in the discussed example. Lock accesscontroller 126 e can either cycle, or request via portable wirelessdevice 154 that server based system 111 cycle to even up the sequencenumbers accordingly and potentially resolve the issue. Of additionalnote, a process wherein lock access controller 176 or lock accesscontroller 126 e cycles backwards by decrypting the last access code andreduces the sequence number in order to even up sequence numbers withserver based system 111 should not be contemplated, as this would makethe secure locker system 100 vulnerable to replay attacks wherein aprevious used open lock command could be resubmitted and the lock accesscontroller being attacked would simply cycle backwards until thesequence numbers and accordingly verification and challenge codes match.

In step 458, if the challenge code matches the verification code, andthe access timer started in step 450 is active and has not expired, thenprocess 440 proceeds to step 464, wherein lock controller board 174 andlock access controller 176, via wiring harness 175 e, actuates lock bolt165 e to open the lockable compartment, and may indicate such actuationand opening via indicator 166 e. Furthermore in step 464, lock accesscontroller 176 logs and reports to server based system 111 via portablewireless device 154 the successful lock access transaction. Process 440then proceeds to step 466 where process 440 ends.

A user may wish to store their portable wireless device in a lockablecompartment for which they have a rental session, or for which they havean assigned use thereof. In an embodiment of FIG. 3B where a lock 162 fcomprises or is otherwise connected to a keypad 164 f connected to lock162 f via connection 167 f, a user may submit a request to assign a userPIN (request to assign PIN) and select a PIN on portable wireless device154. The request to assign PIN results in a similar process flow asprocess 440, namely, an initiate user PIN command sent by the portablewireless device to the lock access controller and the generation and ofa challenge code by server based systems 111 which is then sent to theuser portable wireless device. The assign user pin submission byportable wireless device 154 with the selected PIN in combination with asuccessful challenge code to lock access controller 176 for lock 162 f,will cause lock access controller 176 for the duration of the presentrental session or assignment to accept, via keypad wiring harness 167 f,a correctly entered user PIN, when entered through keypad 164 f, and viawiring harness 175 f, actuate lock bolt 165 f to open lock 162 f andactuate indicator 166 f to indicate a successful opening, as if amatching of a verification code and challenge code had occurred inconjunction with an open lock request. If a user suspects their selectedPIN may have been compromised, they can submit another assign user PINrequest and select another PIN on their portable wireless device, orsubmit a request to cancel and deactivate their current access PIN,should they determine they no longer want or need the capability ofaccess via keypad 164 f. Upon an access in conjunction with atermination of a rental session or assignment, server based system 111submits via portable wireless device 154 a request to cancel anddeactivate the access PIN.

Referring to locker bank 132 of FIG. 1A, locker bank 132 comprises akiosk 140 comprising a touchscreen user interface 142, an electronicpayment keypad 144, which may accept secure entry of a debit card PINnumber, and a chip and magnetic stripe card reader 146. Kiosk 140 may beused by users to rent and access lockable compartments in an alternativeway to using portable wireless devices as previously described. Kiosk140 may be used when a user does not have a portable wireless device ortheir portable wireless device is otherwise not available, for example,the battery is fully depleted. In the example illustration of FIG. 1A,kiosk 140 can interact with locks 122 c and 122 d in a similar fashionas a portable wireless device described earlier herein. Kiosk 140 cancommunicate with server based system 111 via communications links 185and 181 over network 180 to send an open locker request of process 440of FIG. 4B, and in response receive a challenge code for access thereto.Kiosk 140 can be configured with a lock controller board to controlsimple locks, can be configured to communicate directly with intelligentlocks via a communications link, such as a short range link, or both. Auser having a user account with secure locker system 100 can use kiosk140 to log into their account to facilitate the rental process, or canotherwise use the system as a guest user. In the example illustration oflocker bank 132, a user having a current rental session with lockablecompartment 120 d can access it using portable wireless device 152 orkiosk 140 by authenticating themselves to server based system by havingsigned into their user account of a secure locker system application, aswill be discussed later herein, and selecting an open locker selection.Alternatively, a user may have previously selected an assign user PINselection as described earlier, and provided the PIN has not beendeactivated by a subsequent request to cancel it, the user mayaccordingly access lockable compartment 120 d using a keypad 124 d oflockable compartment 120 d, wherein lock access controller controllinglock 122 d will open lock 122 d upon entry of a correct user PIN as if achallenge code and verification code have been matched in an open lockcommand.

Referring now to FIG. 3C, FIG. 3C is an example illustration depicting aportion of secure locker system of FIG. 1A, comprising lock 122 a (oflocker bank 130 of FIG. 1A), portable wireless device 150, operatordevice 113, server based system 111 and network 180. One notabledifference between FIG. 3A and FIG. 3C is a communications link 184connecting lock 122 a to network 180 in FIG. 3C, whereas no suchcommunications link connects lock 122 e to network 180 in FIG. 3A.Communications link 184 provides lock 122 a with an ability tocommunicate directly with server based system 111, and corroborate anaction, and details thereof, being received from user portable wirelessdevice 150 via short range connection 190 or operator device 113 viashort range connection 198. Furthermore, reporting of accesstransactions may be made directly from lock 122 a to server based system111 over link 184, network 180 and link 181, rather than via portablewireless device 150, over short range communications 190, via device150, link 186, network, 180 and link 181. Similarly, reporting ofservice transactions may be made directly from lock 122 a to serverbased system 111 over link 184, network 180 and link 181, rather thanvia operator device 113, over short range communications 198, via device113, link 183, network, 180 and link 181. While depicted as a linkdirectly to lock 122 a, communications link 184 may be implemented as asingle communications link, such as a wired or wireless LAN link to alocker bank (locker bank 130 of FIG. 1A) which in turn may provide awireless link, such as a short range Bluetooth link between a pluralityof locks comprising lock 122 a, and link 184, thereby providing lock 122a communications to server based system 111 over network 180.

Referring now to FIG. 3D which depicts an embodiment of a portionsimilar to secure locker system 100 of FIG. 1A, FIG. 3D comprises a lockcontroller board 170, portable wireless device 150, operator device 113,server based system 111 and network 180. One notable difference betweenFIG. 3B and FIG. 3D is a communications link 184 connecting lockcontroller board 170 to network 180 in FIG. 3D, whereas no suchcommunications link connects lock controller board 174 to network 180 inFIG. 3B. Lock controller board 170 comprises lock access controller 172and lock interfaces 171 a and 171 b for controlling lock units 162 a and162 b, respectively. Communications link 184 provides lock controllerboard 170 with an ability to communicate directly with server basedsystem 111, and corroborate an action, and details thereof, beingreceived from user portable wireless device 150 via short rangeconnection 190 or operator device 113 via short range connection 198.Furthermore, reporting of access transactions may be made directly fromlock controller board 170 to server based system 111 over link 184,network 180 and link 181, rather than via portable wireless device 150,over short range communications 190, via device 150, link 186, network,180 and link 181. Similarly, reporting of service transactions may bemade directly from lock controller board 170 to server based system 111over link 184, network 180 and link 181, rather than via operator device113, over short range communications 198, via device 113, link 183,network, 180 and link 181. Link 184 may connect directly to controllerboard 170, or as discussed in the embodiment of FIG. 3C, link 184 mayimplemented as a single communications link, such as a wired or wirelessLAN link to a locker bank (locker bank 130 of FIG. 1A) which in turn mayprovide a wireless link, such as a short range Bluetooth link between aplurality controller boards comprising controller board 170, and link184, thereby providing controller board 170 communications to serverbased system 111 over network 180. Alternatively, in an embodimentcomprising both simple and intelligent locks, link 184 may implementedas a single communications link which in turn may provide a wirelesslink between one or more controller boards and one or more intelligentlocks.

FIG. 3A and FIG. 3C depict intelligent locks 122 e and 122 a comprisinglock access controller 128 e and 128 a, respectively. FIG. 3B and FIG.3D depict simple locks 162 e and 162 f, and 162 a and 162 b, driven bylock controller boards 174 and 170 comprising lock access controller 176and 172, respectively. Costs may be lower in configurations of lockerbanks where controller boards may support the use of lower cost simplelocks. However, depending on restrictions and constraints ininstallation and configuration, some lockable compartments may be freestanding or grouped in small numbers such that the wiring of a pluralityor even a few simple locks to a controller board is not possible. Insuch cases, pairing a few simple locks to a controller board mayactually cost more than using more expensive intelligent locks which donot require and whose use does not incur the expense of a controllerboard. Hybrid configurations comprising both intelligent locks, for thecase of too few locks to offset the cost of a controller board, andcontroller board driven locks, for the case where a sufficient quantityof locks can be driven from one controller board and offset its cost,may be configured as needed to minimize costs.

Service events and access events as described in conjunction with FIG.4A and FIG. 4B may be logged and recorded in server based system 111.FIG. 2B is an example illustration depicting an access event table 230comprised by server based system 111, wherein access events may berecorded. Access events may comprise interactions with server basedsystem 111, or locks, controller boards and lock access controllersthereof, wherein such interaction is associated with locks comprised bysecure locker system 100 of FIG. 1A. Access event table 230 comprises anevent ID column 234, event type column 236, access ID column 238, eventtime column 240, location ID column 242, locker ID column 244, lock IDcolumn 246, accessor ID column 248 and event data column 250. Event IDcolumn 234 comprises a unique identifier which is assigned to an accessevent and may be used to refer to a specific access event. Event typecolumn 236 comprises classifications for access events such as, but notlimited to, a request to invoke service mode, a request to access acompartment, a failed service mode attempt, a successful service modeattempt, a successful compartment access attempt, a failed compartmentaccess attempt, a request to assign PIN, a successful request to assignPIN, a failed request to assign PIN, a cancel assigned PIN request, aPIN keypad entry, and the like. Access ID column 238 comprisesidentifiers assigned by server based system 111 to uniquely identify asuccessful or failed access attempt, namely, a lock opening or a failedattempt to open a lock. Event time column 240 comprises a data and timestamp for the event and may be specified by the entity reporting theevent. Location ID column 242, locker ID column 244 and lock ID column266 correspond to location ID column 210, locker ID column 212 and lockID column 214 of lock access table 200. Accessor ID column 248 comprisesa unique participant ID identifying the accessing entity, such as anoperator initializing a lock or a user accessing property in a rentedlockable compartment. Event data column 250 may comprise additionalreported data such as data regarding a failed diagnostics test, asequence number error, an access timer expiry that may be useful indiagnosing a root cause or support maintenance and service actions, oradditional reported data that may be useful in documenting secure lockersystems operations for future auditing and system improvementinitiatives. In the example illustration of FIG. 2B access event table230 is depicted comprising access event records 231, 232 and 233.

FIG. 2C is an example illustration depicting a lockable compartmentaccess table 260 comprised by server based system 111. Lockablecompartment access table 260 comprises lockable compartment accessrecords created from lockable compartment access event records fromtable 230 and share some similar columns therewith, namely, access IDcolumn 264, location ID column 270, locker ID column 272, lock ID column274 and accessor ID column 276 correspond to access ID column 238location ID column 242, locker ID column 244, lock ID column 246 andaccessor ID column 248 of access event table 230. An access ID withinaccess ID column 264 is assigned by server based system 111 to one ormore access event records in table 230, and is a unique identifier for asuccessful or failed access attempt to a lockable compartment. Accesstype column 266 comprises a classification of lockable compartmentaccess, such as but not limited to successful or failed access attemptsof, an initial access associated with a new rental session, aterminating access associated with an ending of a rental session, anintervening access, an initialization access, a maintenance access, acleaning access, and the like. Access data column 278 comprises eventdata from column 250 for one or more respective access event recordscomprising the access ID of a given lockable compartment access record,and may further comprise event type 236 and event time 240 column data.In this manner, a lockable compartment access record, or record of afailed attempt thereof, may comprise a complete account of submitteddata for an access of a lockable compartment, or failed attempt thereof.The example illustration of lockable compartment access table 260 isdepicted comprising three lockable compartment access records 261, 262and 263.

Secure Locker System Rental and Access Application

Secure locker system 100 of FIG. 1A may comprise a rental applicationfor download onto portable wireless devices and thereby permit users tointeract with secure locker system 100 to rent and access a lockablecompartment or access an otherwise assigned lockable compartment, orperform other related interactions such as search for available lockablecompartments, terminate a locker rental and the like. Lockablecompartments may comprise a barcode, such as a quick response barcode,or QR Code, such that users may use their portable wireless devices toquickly access information from server based system 111 related to therental of a lockable compartment, download a rental applicationtherefrom if desired and not already loaded, and establish an accounttherewith if desired and not already established. If the user alreadyhas the application downloaded, the application may indicate anavailability status for the scanned lockable compartment, or a nearbylockable compartment available for rental. FIG. 5 is an exampleillustration depicting a flow diagram representation of a secure lockerrental application 500. Application 500 is initiated or accessed in step502 and first checks in step 504 to see if the user is logged into thesystem. If not the, a check is made in step 508 to see if the user hascreated a registered account. If the user does have a registeredaccount, the user then may login in step 510. In not the user can createan account in step 512 and then login in step 510. Once logged intotheir account, the user is presented with the home view in step 506,where the user can choose from a plurality of actions, such as,select/scan a locker (step 514) to be presented with a rental screen(step 528), map view (step 514) to be presented with map/locate/selectlocker screens (step 530), current rentals (step 518) to be presentedwith a screen of their current rentals (step 534), transaction history(520) to review their transaction history (step 536), account settings(step 522) to review and update account settings (step 538) and logout(step 524) to exit the application (step 526).

FIG. 6A through FIG. 6H depict illustrative user interface displays ofscreens which may be comprised by, and discussed in conjunction with,application 500 of FIG. 5 above. FIG. 6A depicts an illustrative homeview screen 600 of step 506 and includes an enter locker number field614, wherein a user can, for example, read and enter a locker numberaffixed to a lockable compartment and then select the find button 616.Screen 600 further comprises a scan locker button 612, wherein a usercan, for example, scan a code affixed to a lockable compartment. Ineither case, the use of find button 616 or scan button 612, selects alocker (step 514) and presents a rent screen (step 528) for the user. Arental screen will be discussed later herein in conjunction with FIG.6E. Home screen 600 also comprises a row of generally persistentnavigational icons for major activities and functions within application500. These icons are present on many of the various screens withinapplication 500, thereby providing a generally persistent and commonmethod for navigation to activities and functions associated therewith.In the example illustration of home screen 600, the icons comprise, ahome icon 602 (step 506), a map icon 604 (steps 516, 530), a rentalsicon 606 (steps 518, 534), a history icon 608 (steps 520, 536) and asettings icon 610 (steps 522, 538). Note that home icon 602 ishighlighted, depicted as a double-image on its right side, to indicatethat the present screen is home screen 600. As depicted in the exampleillustration of home screen 600, a user may also be presented withselections providing an option to review and search for lockers by eventvenue category, such as sporting events 618, races 620, concerts 622 andconferences 624.

FIG. 6B depicts an illustrative map/locate screen 626 of step 530resulting from a map selection in step 516, such as a user selecting mapicon 604 on home screen 600 of FIG. 6A. Note that map icon 604 ishighlighted, depicted as a double-image on its right side, to indicatethat the present screen is map/locate screen 626. Also note that mapicon 604 is represented by a commonly used map location pin or mapmarker icon. Map screen 626 can display a map 630, wherein map 630 maybe manipulated in an interactive fashion by pinching fingers together onmap 630 to zoom out and spreading fingers apart on map 630 to zoom in.Map 630 may be further manipulated by dragging a finger in a directionto pull the map center in a direction of the finger movement. Searchentry field 628 may allow the entry of a map or geographic location, zipcode, venue name, and the like, and cause a centering of the map to thecorresponding coordinates of the entry if a map location is determinedfor the entry entered in search field 628. When map icon 604 is selectedand map screen 626 is initially displayed in response, it can becentered based on current coordinates of a user's portable wirelessdevice as ascertained by global positioning system (GPS) features whichmay be comprised by the portable wireless device. This may beparticularly useful in a use case where a user has decided to research alocation of a lockable compartment in which to unburden themselves ofpresently carried property and items, and would like to determine thenearest available lockable compartments. Search entry field 628 may beparticularly useful in a use case where a user wants to researchavailability of lockable compartments near a planned future location.Lockable compartments in the example illustration of map screen 626 canbe identified on map 630 as location pins 632 and 634. A selection oflocation pin 634 can cause a display of an information bubble 636describing the location or venue and providing a selectable area toretrieve more info or additional information, as depicted in screen 626.FIG. 6C depicts an illustrative selection screen 638 which may be alsobe presented in step 530 when more info is requested in informationbubble 636 of FIG. 6B. In the example illustration of screen 638, twolocations of lockable compartments 642 and 644 are available at a venuecorresponding to location pin 634 and are displayed to permit a userselection thereof. Aside from making a selection of locations 642 and644, a user can select from the generally persistent navigational iconsreturn home 602, map 604, current rentals 606, history 608 and settings610. An alternative navigational option is to return to map screen 626by selecting a back “<” to map selection 640. FIG. 6D depicts anotherillustrative selection screen 646 which may also be presented in step530 in response to a selection of a location 642 and 644 on screen 638of FIG. 6C. The example illustration of selection screen 646 depicts twopossible size selections 650 and 652 for a medium and large lockablecompartment, respectively. As depicted, selections 650 and 652 canprovide dimensions and associated rental rates to assist in the user'sselection thereof. Aside from making a selection of sizes 650 and 652, auser can select from the generally persistent navigational icons 602-610or to return the previous selection screen 638 by selecting a backselection 648.

FIG. 6E depicts an illustrative rent screen 654 (step 528). The exampleillustration of rent screen 654 may have been arrived at after steps 530and 532 when a final selection option has be made, wherein in theexample illustration of FIG. 6D, a selection of a medium locker size 650of selection screen 646 is indicated by the associated rental rate of$2/hour. Rent screen 654 (step 528) comprises an information window 658indicating, by a locker number, a locker selected for rental and anhourly rate for a rental session. Additionally displayed are paymentoption selections 660, 662 and 664. A user may select a payment option660, 662 and 664 in order to move forward with the rental, oralternatively return to the previous selection screen, size selectionscreen 646, by selecting a back selection 656 or select one of thegenerally persistent navigational icons 602-610. FIG. 6F depicts anillustrative rental confirmation screen 670 which may be displayed inresponse to a payment selection 660, 662 and 664 entered on rent screen654. A user may either rent the indicated locker by selecting a yesselection 674, or decline the rental by selecting a no selection 672.Following either selection, the process may proceed from step 528 backto a home screen 600 view in step 506. Alternatively, in an embodiment,where the selection was a yes selection 674, the process may proceeddirectly to step 534 and display a current rentals screen 676 of FIG.6G, which is discussed in more detail below.

FIG. 6G depicts an illustrative current rentals screen 676 of step 534resulting from a current rentals selection in step 518, such as a userselecting rentals icon 606 on home screen 600 of FIG. 6A, or as in anembodiment noted above, a yes selection 694 on rental confirmationscreen 670. Note that current rentals icon 606 is highlighted, depictedas a double-image on its right side, to indicate that the present screenis current rentals screen 676. Current rentals screen 676 may provide ascrollable list of current locker rentals for a user. In the exampleillustration of screen 676, two current rentals, rental (1) 678 andrental (2) 680, are depicted. Information may be displayed regardingrental (1) 678, such as, the venue and location and location in thevenue, locker number, rental start time, time used and locker status(e.g. locked or unlocked). Selection options to open locker 682, endrental 684 and more options 686 are provided. If open locker 682 isselected, open lockable compartment process 440 of FIG. 4B is initiated.Following an access of the lockable compartment, application 500 returnsto home screen 600 in step 506. If end rental 684 is selected, aconfirmation screen may be displayed, as will be discussed later herein.Selection of more options 686 can include access to help services andcan include an assign user PIN selection as described earlier. Similarinformation and selection options are displayed for rental (2) 680.Current rental screen 676 further comprises the generally persistentnavigational icons 602-610.

FIG. 6H depicts an illustrative confirmation screen 690 of an end rentalsession function which is displayed following a user selecting an endrental selection, such as end rental 684 of screen 676. A user mayeither continue with a termination of the rental by selecting a yesselection 694, or decline a termination of the rental by selecting a noselection 692. Following a no selection 692, the process may proceedback current rentals screen 676. Following a yes selection 694, an openlockable compartment process 440 of FIG. 4B is initiated. Following anaccess of the lockable compartment, application 500 returns to homescreen 600 in step 506.

Similar to the secure locker system rental and access application 500usable by users to interact with secure locker system 100 of FIG. 1A, asecure locker system operations application can be provided and usableby operators of secure locker system 100 to interact therewith. A securelocker operations application can be downloaded onto an operator deviceand be associated with an operator account comprised by server basedsystem 100. An operator can be authenticated logging into their accountsimilar to a user logging into an account associated with a securelocker rental and access application. A secure locker operationsapplication can be used to initialize locks using process 400 of FIG.4A, review maintenance and service requests among other operationsrelated actions.

Secure Locker System Comprising Emergency Access

An operator of a secure locker system may operate a lockablecompartments located at a plurality of locations and venues, and may beassociated with a plurality of location operators and venue proprietors.A secure locker system operator may choose to additionally provide alocalized redundancy of the functions and services remotely provided bya server based system. In this manner, should the remotely providedfunctions and services become unavailable to operate lockablecompartments of a location or venue, a local server based emergencyaccess system may be enabled as failover services such that patrons ofaffected lockable compartments have continued use and access thereof.

Referring again to FIG. 1A, in an embodiment, secure locker system 100may additionally comprise one or more appliances or server basedemergency access systems 119 a, 119 b and 119 c, each of which maycomprise one or more servers, software services and data services. Eachappliance or server based emergency access system, also referred to morebriefly as an emergency access system, may be, but is not necessarily,located at or in proximity of a location or venue comprising a securelocker operation, and may be associated therewith and provideuninterrupted locker access operations in the event that server basedsystem 111 is not functional, is not accessible or is otherwiseunavailable to support access of lockable compartments associatedtherewith. Emergency access systems 119 a, 119 b and 119 c of FIG. 1Afurther comprise communications links 189 a, 189 b and 189 c,respectively, to communications network 180 and are thereby accessibleby a plurality of devices and systems.

Of notable difference from challenge codes and verification codes usedin lock access and lockable compartment access process 440 of FIG. 4Bpreviously disclosed herein, emergency challenge codes and emergencyverification codes are used in an emergency lock access process, and aregenerated using emergency access input codes and emergency accessderivation keys. An emergency access system comprises a lock emergencyaccess table similar to lock access table 200 of FIG. 2A comprised byserver based system 111, and FIG. 2A is suitable as a reference for adiscussion of a lock emergency access table. Referring to FIG. 2A, lockemergency access tables comprised by emergency access systems 119 a, 119b and 119 c, comprise a location ID column similar to 210, a locker IDcolumn similar to 212, a lock ID column similar to 214, an emergencyaccess input code column similar to input code column 216, an emergencyaccess derivation key column similar to derivation key column 218 and anemergency access sequence number column similar to sequence numbercolumn 220. Each lock associated with a lockable compartment supportedby an emergency access system comprises an associated lock emergencyaccess record in a lock emergency access table. Each lock emergencyaccess record comprises an emergency access input code, an emergencyaccess derivation key and an emergency access sequence number. A lockaccess controller of a lock or lock controller board supported by anemergency access system comprises for each associated lock an emergencyaccess input code, emergency access derivation key and emergency accesssequence number. A process to open a lock of a lockable compartment foremergency access thereof, is similar to process 440 of FIG. 4B to open alock of a lockable compartment for access thereof, and FIG. 4B issuitable for reference in a discussion of an emergency access process.

For explanatory purposes of an emergency access process, referring toFIG. 1A, let the following scenario apply: server based system 111 isnot available; portable wireless device 150 is in communication withemergency access system 119 a which is collocated with locker bank 130,wherein communication is via communications link 186, network 180 andcommunications link 189 a; and a user of portable wireless device 150 isaccessing lockable compartment 120 a of locker bank 130. An emergencyopen lockable compartment process 440 of FIG. 4B begins in step 442 andin step 444 a user of a portable wireless device 150 selects an openlocker selection in order to access lockable compartment 120 a. In step446, portable wireless device 150 checks to see if it is connected tolock 122 a, via a wireless short range connection 190. Once connected,in step 448, portable wireless device 150, sends an emergency open lockrequest to emergency access system 119 a via communication links 186 and189 a and network 180, and sends an initiate emergency access command tolock 122 a. The initiate emergency access command prompts lock accesscontroller of lock 122 a in step 450 to start a lock access timer whichmay be used to limit the usable lifetimes of generated single useemergency access authentication codes, namely, the useable lifetime ofan emergency challenge code and the useable lifetime of an emergencyverification code of the current lock emergency access attempt. Furtherin step 450, lock access controller of lock 122 a retrieves an emergencyderivation key and emergency input code for lock 122 a and an emergencyverification code generator of the lock access controller generates anemergency verification code, per the single use access authenticationcode equation disclosed earlier herein and restated here for anemergency access operation:

Emergency Code(n)=E[Emergency Code(n−1),ECDK]

Where:

-   -   Emergency Code (1) is the next single use emergency access        authentication code following the last generated emergency code,    -   Emergency Code (n−1) is the last generated single use emergency        access authentication code,    -   E is a suitable encryption method such as AES and comprises as        inputs the last generated emergency access authentication code,        Emergency Code (n−1) as the emergency input code, and an        emergency code derivation key, ECDK, and    -   ECDK is the emergency code derivation key which is used to        encrypt the last generated single use emergency access        authentication code, Emergency Code (n−1) as the emergency input        code, to create the next emergency code, Emergency Code (n).        Once an emergency verification code is generated it is used to        update the emergency input code and an emergency sequence number        of lock access controller 122 a is incremented. In step 452,        emergency access system 119 a retrieves from a lock emergency        access table an emergency derivation key and emergency input        code for lock 122 a and an emergency challenge code generator of        emergency access system 119 a generates an emergency challenge        code, per the above emergency access code equation. Once the        emergency challenge code is generated it is sent to portable        wireless device 150 and is also used to update the emergency        input code for lock 122 a of the emergency access table of        emergency access system 119 a. The emergency sequence number for        lock 122 a of the emergency access table of emergency access        system 119 a is incremented. In step 454, portable wireless        device 150 sends via short range communications 190 an emergency        open lock command and the emergency challenge code to lock 122        a. In step 456, lock access controller of lock 122 a compares        the received emergency challenge code to the generated emergency        verification code. In step 458, if they are not equal or the        access timer started in step 450 has expired, the process        proceeds to step 460, wherein lock 122 a logs and reports to        emergency access system 119 a via portable wireless device 150        the failed lock emergency access transaction and process 440        ends in step 462.

In an embodiment, in step 452, an emergency sequence number of the lockemergency access table of emergency access system 119 a may be includedwith the emergency challenge code from emergency access system 119 a,and a similarly maintained emergency sequence number of the lock accesscontroller of lock 122 a may be used to determine an out of sequencecondition between the generation of emergency challenge codes byemergency access system 119 a and the respective generation of emergencyverification codes by the lock access controller of lock 122 a. If instep 456, the lock access controller of lock 122 a comprises a sequencenumber reporting a number of fewer code generation cycles it can “cycle”emergency verification codes until it evens up the sequence numbers toresolve the discrepancy and potentially achieve a matching of theemergency challenge code and the emergency verification code. If in step456 lock access controller of lock 122 a comprises an emergency sequencenumber reporting a number of greater emergency code generations it canrequest emergency access system 119 a, via portable wireless device 150,to “cycle” emergency challenge codes until it evens up the emergencysequence numbers to resolve the discrepancy and potentially provide asuccessful emergency challenge code.

In step 458, if the emergency challenge code matches the emergencyverification code, and the access timer started in step 450 is activeand has not expired, then process 440 proceeds to step 464, wherein thelock access controller of lock 122 a can actuate a lock bolt to open thelockable compartment, and indicate such actuation and opening viaindicator 126 a. Further in step 464, lock access controller of lock 122a logs and reports to emergency access system 119 a via portablewireless device 150 the successful lock access transaction. Process 440then proceeds to step 466 where process 440 ends.

A user may wish to store their portable wireless device in a lockablecompartment for which they have a rental session, or for which they havean assigned use thereof. In an embodiment where a lock comprises or isotherwise connected to a keypad such as keypad 124 b connected to lock122 b (FIG. 1A), a user may submit a request to assign a user PIN(request to assign PIN) and select a PIN on portable wireless device150. When server based system 111 is unavailable and emergency accesssystem 119 a is actively servicing locker access requests, the requestresults in the generation and submission of an emergency challenge codeas described above in conjunction with FIG. 4B. The assign user PINsubmission by portable wireless device 150 with the selected PIN incombination with a successful emergency challenge code to lock 122 b,will cause lock access controller of lock 122 b for the duration of thepresent rental session or assignment to accept a correctly entered userPIN via keypad 124 b, actuate a lock bolt to open lock 122 b and actuatea visual indicator 126 b to indicate a successful opening, as if amatching of an emergency verification code and emergency challenge codehad occurred in conjunction with an emergency access request. If a usersuspects their selected PIN may have been compromised, they can submitanother assign user PIN request and select another PIN on their portablewireless device, or submit a request to cancel and deactivate theircurrent access PIN, should they determine they no longer want or needthe capability of access via keypad 124 b. Upon an access in conjunctionwith a termination of a rental session or assignment, emergency accesssystem 119 a submits via portable wireless device 154 a request tocancel and deactivate the access PIN.

In normal operations, when server based system 111 is available, activerental session records, also called active rental contracts for lockablecompartments also serviced by an emergency access systems 119 a, 119 band 119 c are communicated by server based system 111 to the appropriateemergency access system 119 a, 119 b and 119 c. As such, should serverbased system 111 become unavailable, emergency based systems 119 a, 119b and 119 c can continue to provide access per the currently activerental contracts within their system. When a portable wireless deviceestablishes a rental contract for a lockable compartment, server basedsystem 111, checks to see if the contracted compartment is associatedwith an emergency access system and, if it is, sends a record of thecontract thereto. Additionally, server based system 111 can send thefailover URLs for the API services of the associated emergency accesssystem to the portable wireless device and secure locker app runningthereon upon entering into a rental contract. Should the API services ofserver based system 111 then become unavailable, the portable wirelessdevice and secure locker system rental and access app running thereon,may then utilize the failover URLs for emergency access transactions.

In order to maintain a record of activity resulting from servicesprovided by emergency access systems 119 a, 119 b and 119 c, each systemcan maintain an emergency access event table and emergency lockablecompartment access table similar to access event table 230 and lockablecompartment access table 260 maintained by server based system 111. Whenserver based system 111 is available, records from the emergency accesssystem event and access tables can be forwarded for recording incorresponding server based system 111 access event table 230 andlockable compartment access table 260, and can be given correspondingevent type 236 and access type 266 classifications to denote serviceswere provided by emergency access systems. Any deferred processing, suchas submission of payment transactions, that was deferred until serverbased system 111 became available, can be processed after table 230 andtable 260 are updated to reflect all activity processed and deferred byemergency access systems. Server based system can audit emergency accesssystems 119 a, 119 b and 119 c by processing records from the emergencyaccess system reported and recorded in tables 230 and 260, and can alsorequest records comprising emergency sequence numbers for each lockwithin the lock emergency access table to validate consistency betweenreported emergency access records and the lock emergency sequencenumbers and validate the completeness of reported records and activity.Furthermore, sequence numbers and emergency sequence numbers may both beappended by lock access controller to access event reports issued bylocks via portable wireless devices, such as in step 464 of process 440of FIG. 4B, to maintain an accurate and corroborated report of allsystem activity. Emergency access systems 119 a, 199 b and 199 c may beimplemented such that they require an administrator of secure lockersystem 100 to enable their use. In this way, an operator of securelocker system 100 can ensure that emergency access is only used when itis appropriate.

While a primary benefit of emergency access systems 119 a, 119 b and 119c is the continued servicing of existing rental contracts despite theunavailability of server based system 111, in an embodiment, emergencyaccess systems 119 a, 119 b and 119 c may additionally provide servicesto enable the initiation of new rental contracts despite theunavailability of server based system 111. When server based system 111is available, rental contracts initiated within the emergency accesssystem can be forwarded for recording by server based system 111 and anyrequired processing, such as closure of rental contracts and submissionof payment transactions that were deferred until server based system 111became available.

In an embodiment, an emergency access device, similar to operator device113 can be provided. An emergency access device may have limitedfunctionality comparable to an operator device 113. For example, anemergency access device may not be capable of initializing a lock. Aprimary use of an emergency access device may be to access a lockablecompartment when prior attempts using a user's portable wireless devicehave failed. An emergency access device may be retained by a localoperator to assist such a user to access their rented lockablecompartment. The emergency access device can attempt access using theuser credentials for the secure locker system as entered by the user,and potentially other procedures to validate the user authenticity suchas an authentication code sent to an email account of the user. Once theuser is authenticated by server based system 111, a lock access commandis initiated and a challenge code is generated using a derivation keyand an input code for the associated lock. If this access attempt fails,and provided the user was authenticated by server based system 111, theserver based system can then request directly to an associated emergencyaccess system, emergency access to the lockable compartment. If thisattempt is successful, the lockable compartment can be retired fromcurrent service after this access and scheduled for repair procedures,such as a lock (re)initialization procedure. If the server based system111 is unavailable, the operator of the emergency access device may berequired to receive and enter a permission code from the secure lockersystem operator to enable an emergency access command to access thelockable compartment using the emergency access system. The provision ofthe permission code for such emergency access should be restricted andrequire procedures that ensure only a legitimate user receives suchemergency access.

Similar to the initialization of locks for use with server based system111, locks are initialized for use with emergency access systems 119 a,119 b and 119 c. This process is similar to lock initialization process400 of FIG. 4A, and may be combined into a single process flow wherein alock may be initialized for use in both server based system 111 and anemergency access system in the same process using operator device 112and 113. As such, the code derivation key and input code of Table 1 andTable 2, respectively, are generated in component parts and sharedbetween the initialized lock and server based system 111, and anemergency derivation key and emergency input code are generated incomponent parts and shared between the initialized lock and emergencyaccess system. The relationship between exchanged emergency derivationkey component values, public/private key pairs and the assembled sharedemergency derivation key is shown in Table 3 below. For explanatorypurposes, this parallel process will be discussed considering operatordevice 113, lock 122 a and emergency access system 119 a. The operatordevice 113 or lock 122 a lock access controller generated components canbe referred to as a lock emergency derivation key component, or lockemergency key component, and lock emergency input code component and theemergency access system generated components can be referred to as anemergency system code derivation key component, or emergency system keycomponent, and an emergency system input code component.

TABLE 3 Secure Exchange of Emergency Key Components for Shared KeyGeneration Operator Device or Operation Lock Access Controller EmergencyAccess System Randomly Generate LoEmKComp EAEmKComp Emergency KeyComponent Encrypt Emergency E [LoEmKComp, EAPuK] E [EAEmKComp, OpPuK]Key Component Decrypt Received D [EAEmKComp, OpPrK] D [LoEmKComp, EAPrK]Emergency Key Component Generate/Assemble A [LoEmKComp, EAEmKComp] A[LoEmKComp, EAEmKComp] Emergency Key

Where:

-   -   LoEmKComp is the lock emergency key component,    -   LoEmKComp is the encrypted lock emergency key component,    -   EAEmKComp is the emergency system key component,    -   EAEmKComp is the encrypted emergency system key component,    -   OpPuK is the operator device public key,    -   OpPrK is the operator device private key,    -   EAPuK is the emergency access system public key, and    -   EAPrK is the emergency access system private key.        The relationship between exchanged emergency input code        component values, public/private key pairs and the assembled        shared emergency input code is shown in Table 4 below.

TABLE 4 Secure Exchange of Emergency Input Code Components for SharedEmergency Input Code Generation Operator Device or Operation Lock AccessController Emergency Access System Randomly Generate LoEmICCompEAEmICComp Emergency Input Code Component Encrypt Emergency E[LoEmICComp, SyPuK] E [EAEmICComp, OpPuK] Input Code Component DecryptReceived D [EAEmICComp, LoPrK] D [LoEmICComp, SyPrK] Emergency InputCode Component Assemble A [LoEmICComp, EAEmICComp] A [LoEmICComp,EAEmICComp] Emergency Input Code

Where:

-   -   LoEmICComp is the lock emergency input code component,    -   LoEmICComp is the encrypted lock emergency input code component,    -   EAEmICComp is the emergency system seed component,    -   EAEmICComp is the encrypted emergency system seed component,    -   OpPuK is the operator device public key,    -   OpPrK is the operator device private key,    -   EAPuK is the emergency access system public key, and    -   EAPrK is the emergency access system private key.

Operator device 113 exchanges public keys of respective public/privatekey pairs with server based system 111 and emergency access system 119 aeither prior to or upon initiation of the parallel lock initiationprocess. Referring to FIG. 4A as a similar process and useful referenceto explain the parallel system lock initialization, the process beginsin step 402. In step 404 operator device 113 attempts to establish asecure connection 198 with lock 122 a using a secure Bluetoothcommunication protocol, for example a Bluetooth security level 4,security mode 2 secure connection, as described in NIST SpecialPublication 800-121, Revision 2, published May 2017. In step 406, oncesecure short range connection 198 is established, the process moves tostep 408, wherein operator device 113 issues a service mode command tolock 122 a. This command can result in multiple process steps notdepicted in FIG. 4A, such as, indicating, via communications links 183and 181 and network 180, a service mode request to server based system111 requesting to put lock 122 a into a service mode, and receiving inresponse a challenge code and an encrypted sequence number as a secureservice mode token, wherein the encrypted sequence number is encryptedusing the code derivation key. Referring to the example illustration oflock access table 200 of FIG. 2A, to prepare this response comprising achallenge code and encrypted sequence number, server based system 111retrieves from record 201 an input code, derivation key and sequencenumber. For locks not previously initialized and put into use, thesevalues may be based on keys, codes and sequence numbers created during alock access controller production process, and may be unique or defaultvalues. Server based system 111 then encrypts the input code, which maysimply be a default input code entered during manufacturing, using thederivation key to generate a challenge code needed for the pendingservice mode command. Server based system 111 encrypts the sequencenumber using the derivation key to generate an encrypted sequence numberwhich is also needed as a secure service mode token for the pendingservice mode command. Server based system 111 then responds to operatordevice 113 with the required challenge code and encrypted sequencenumber. Operator device 113 then issues to lock 122 a via short rangeconnection 198 the service command comprising the challenge code andencrypted sequence number. Lock access controller of lock 122 a,maintains data corresponding to record 201 comprising an input code,derivation key and sequence number, and independent of server basedsystem 111 generates a verification code and encrypted sequence number(or alternatively decrypts the received encrypted sequence number). Instep 410, if the verification code matches the challenge code and thereceived encrypted sequence number matches the lock generated encryptedsequence number (or alternatively the decrypted received sequence numbermatches the lock sequence number), the lock successfully enters servicemode and the lock opens, wherein a lock bolt retracts and an indicator126 a may indicate a successful entry into service mode (e.g., flashinga green color and/or sounding a brief tone). If in step 410, theverification code and challenge code do not match, or the receivedencrypted sequence number and lock generated encrypted sequence numberdo not match (or alternatively the decrypted received sequence numberdoes not match the lock sequence number), then the service mode commandfails, indicator 126 a may indicate a failed entry into service mode(e.g., flashing a red color and/or sounding a long tone), and in step424, the process reports the failure to server based system 111 and endsin a failed initialize lock process in step 426. In an embodiment, instep 410, if the verification code and challenge code do not match, thereceived encrypted sequence number may be decrypted and used todetermine an out of sequence condition between the server based system111 generation of challenge codes and the respective generation ofverification codes by lock access controller of lock 122 a. If lockaccess controller of lock 122 a comprises a sequence number reporting anumber of fewer code generation cycles it can “cycle” verification codesuntil it evens up the sequence numbers to resolve the discrepancy andpotentially achieve a matching of the challenge code and verificationcode. If lock access controller of lock 122 a comprises a sequencenumber reporting a number of greater code generations it can requestserver based system 111, via operator device 113, “cycle” challengecodes until it evens up the sequence numbers to resolve the discrepancyand potentially provide a successful challenge code.

Upon successful entry into service mode in step 410, the combined serverbased system 111 and emergency access system 119 a initializationprocess generates a new shared secret derivation key and a new sharedsecret input code by the independent generation, encryption and securemutual exchange of encrypted key components and encrypted input codecomponents by server based system 111 and operator device 113 or lockaccess controller of lock 122 a as previously described, and furthergenerates a new shared secret emergency key and a new shared secretemergency input code by the independent generation, encryption andsecure mutual exchange of encrypted emergency key components andencrypted emergency input code components by emergency access system 119a and operator device 113 or lock access controller of lock 122 a aswill now be described. In step 412 of the combined embodiment of process400, operator device 113 or lock access controller of lock 122 agenerates the encrypted lock key component, LoDKComp, per Table 1 above,and the encrypted lock input code component, LoICComp, per Table 2above, and sends them to the server based system 111. For explanatorypurposes, an embodiment where lock access controller of lock 122 agenerates the components will be described. Operator device 113 sendsthe server based system public key, SyPuK, to lock access controller oflock 122 a. Lock access controller of lock 122 a using a pseudo randomnumber generator generates a lock key component, LoDKComp, and a lockinput code component, LoICComp. Then using SyPuK, lock access controllerof lock 122 a encrypts the components thereby generating LoDKComp andLoICComp which it sends to operator device 113 for secure communicationto server based system 111. Server based system 111 may then decryptthese components using SyPrK, the server based system 111 private keyand reserve them for final assembly of the new shared code derivationkey and new shared input code for lock 122 a. Next, operator device 113sends the emergency access system 119 a public key, EAPuK, to lockaccess controller of lock 122 a. Lock access controller of lock 122 ausing a pseudo random number generator generates a lock emergency keycomponent, LoEmKComp, and a lock emergency input code component,LoEmICComp. Then using the EAPuK, lock access controller of lock 122 aencrypts the components thereby generating LoEmKComp and LoEmICCompwhich it sends to operator device 113 for secure communication toemergency access system 119 a. Emergency access system 119 a may thendecrypt these components using EAPrK, the emergency access system 119 aprivate key and reserve them for final assembly of the new sharedemergency key and new shared emergency input code for lock 122 a.

In step 414 of the combined embodiment of process 400, server basedsystem 111 using a pseudo random number generator generates a system keycomponent, SyDKComp, and a system input code component, SyICComp. Thenusing the OpPuK, server based system 111 encrypts the components therebygenerating SyDKComp and SyICComp which it sends to operator device 113.Server based system 111 may now in step 416 assemble the new shared codederivation key from the component parts, A [LoDKComp, SyDKComp], and thenew shared input code from the component parts, A [LoICComp, SyICComp],and load them into the derivation key and input code of record 205 oflock access table 200. Operator device 113 receives and then decryptsSyDKComp and SyICComp using OpPrK and sends the resulting SyDKComp andSyICComp to lock access controller of lock 122 a. In step 418, lockaccess controller of lock 122 a may now assemble and store therein thenew shared code derivation key per Table 1 above from the componentparts, A [LoDKComp, SyDKComp], and the new shared input code per Table 2above from the component parts, A [LoICComp, SyICComp] for use in futureservice and access requests. Next, in the combined embodiment of process400, emergency access system 119 a using a pseudo random numbergenerator generates an emergency key component, EAEmKComp, and anemergency input code component, EAEmICComp. Then using the operatordevice public key, OpPuK, emergency access system 119 a encrypts thecomponents thereby generating EAEmKComp and EAEmICComp which it sends tooperator device 113. Emergency access system 119 a may now in step 416assemble the new shared emergency key per Table 3 above from thecomponent parts, A [LoEmKComp, EAEmKComp], and the new shared emergencyinput code per Table 4 above from the component parts, A [LoEmICComp,EAEmICComp], and load them into lock emergency access table emergencykey and emergency input code, respectively, for the record associatedwith lock 122 a. Operator device 113 receives and then decryptsEAEmKComp and EAEmICComp using OpPrK and sends the resulting EAEmKCompand EAEmICComp to lock access controller of lock 122 a. In step 418,lock access controller of lock 122 a may now assemble and store thereinthe new shared emergency key from the component parts, A [LoEmKComp,EAEmKComp], and the new shared emergency input code from the componentparts, A [LoEmICComp, EAEmICComp] for use in future emergency accessrequests.

In step 420 of the combined embodiment of process 400, operator device113 issues a test lock command to verify the newly generated derivationkey, input code, emergency key and emergency input code are operable andthat the lock opens properly by first executing an access lockercommand, and then executing an emergency access locker command, and mayalso run other lock diagnostics, such as check a battery status orverify a memory checksum. If the lock does not open properly or certaindiagnostic tests fail, then the initialization process fails. In step424, the process reports the failure to server based system 111 andemergency access system 119 a, and in step 426 ends in a failedinitialize lock process. Note that some diagnostic test failures, may beresolved, for example, the battery may be replaced, after which thediagnostic test and initialization process may then pass. If in step 422the lock opens and the diagnostics test pass, then the successfulinitialization of lock 122 a is reported to server based system 111 andemergency access system 119 a, and the combined embodiment of initializelock process 400 ends in step 430. Note that the operator device 113 mayalso prompt the user to execute a check list of other lockablecompartment 120 a (FIG. 1A) tests and assessments, such as an assessmentof whether the locker door 121 a (FIG. 1A) moves freely, locker interioris clean and free of debris, etc., and if appropriate allow or disallowlockable compartment 120 a to be put into service.

Secure Locker System with Collapsible Lockable Compartments and SecureStorage Platform

Demand for secure temporary storage can be closely related to events andcan vary depending on factors such as weather, the day of the week, timeof day, event location, event popularity, and many other factors. Forexample, a sporting event on a weekday, starting near the end of theworkday, and near a busy metropolitan area will likely be attended bymany people wanting to store business and other workday items. Otherevents are temporary in nature and permanent or semi-permanent securestorage lockers may not be practical. Given the fluctuation in demandand temporary nature of many events, secure storage lockers that may beeasily and compactly transported to a location when needed, and easilyset up and taken down to be once again transported are desirable.Predictive analytics can be used to track such factors as thosementioned above and forecast needs for supplemental lockablecompartments to be dispatched from regionally placed inventories. Thishelps to insure that customers can become accustomed to having availablestorage and promotes frequent purchasing of secure storage services.

Secure locker systems can be configured for use with a portable,collapsible locker system. FIG. 7A, FIG. 7B and FIG. 7C are exampleillustrations depicting a collapsible and foldable lockable compartment700. FIG. 7D, FIG. 7E and FIG. 7F are example illustrations depicting acollapsible and foldable base 730 on which one or more collapsiblelockable compartments 700 may be placed in a stacked manner therebyforming a vertical locker stack assembly. FIG. 7G is an exampleillustration depicting a locker stack assembly 760 comprising a base762, a first locker 764 and a second locker 766 which may receive a topcomponent 770 of which an example illustration is depicted in FIG. 7H.Vertical stack assembly 760 may be situated with other vertical stacksto produce a locker bank. The collapsible lockable compartment 700 ofFIGS. 7A, 7B and 7E, collapsible base 730 of FIGS. 7D, 7E and 7F, andtop component 770 of FIG. 7H may be easily and compactly transported toa location when needed, and easily set up and taken down to be onceagain transported in order to address temporary and dramaticallyfluctuating demands associated with temporary secure storage.Furthermore, temporary secure storage arrangements can be flexiblyconfigured to comprise individual lockers 700, stack assemblies 760 andlocker banks.

Referring to FIG. 7A and FIG. 7B in more detail, collapsible locker 700comprises a front panel which is a frame 702 comprising a door 704,attached thereto by a hinge 703. Left side panel 712 and right sidepanel 718 (when assembled and viewing front panel 702) are attached tofront panel 702 with hinges 711 and 719, respectively. Back panel 722 isattached to right side panel 718 with hinge 717. Bottom panel 708 isattached to front panel 702 with hinge 709 (visible and referenced inFIG. 7B). Collapsible locker 700 further comprises a rear panel lowerfastening tab 724, a bottom panel fastening tab 710, a rear panel upperfastening tab 726, a left side panel upper fastening tab 714 and a leftside panel lower fastening pin 716. When assembled as in FIG. C, pin 716passes through bottom panel fastening tab 710 and rear panel tab 724,thereby securing bottom panel tab 710 between side panel pin 716 andrear panel tab 724. As will be shown in more detail later, when twocollapsible lockers are assembled in a stacked orientation, upper tabs726 and 714 of a first locker may be secured between pin 716 and tab 710of a second locker situated above the first locker. Collapsible locker700 further comprises an electromechanical lock 706 attached to door 704and comprising a locking element, locking bolt 705, and a lock boltlatch 707, attached to front panel frame 702. Lock bolt attaches andreleases door 704 from front panel frame 702, wherein lock bolt 705 maytravel past an edge of lock bolt latch 707 and front panel frame 702 tolock door 704 in a closed position, and be retracted to unlock door 704.

Referring to FIG. 7D, FIG. 7E and FIG. 7F, collapsible base unit 730 issimilar in construction to that of collapsible locker 700 with a primarydifference being a front panel 732 that does not comprise a door andlock assembly. Left side panel 742 and right side panel 748 (whenassembled and viewing front panel 732) are attached to front panel 732with hinges 741 and 749, respectively. Back panel 752 is attached toright side panel 748 with hinge 747. Bottom panel 738 is attached tofront panel 732 with hinge 739 (visible and referenced in FIG. 7E).Collapsible locker 730 further comprises a rear panel lower fasteningtab 754, a bottom panel fastening tab 740, a rear panel upper fasteningtab 756, a left side panel upper fastening tab 744 and a left side panellower fastening pin 746. When assembled as in FIG. F, pin 746 passesthrough bottom panel fastening tab 740 and rear panel tab 754, therebysecuring bottom panel tab 740 between side panel pin 746 and rear paneltab 754. As will be shown in more detail later, when a collapsible base730 and collapsible locker 700 are assembled in a stacked orientationwith the latter in the upper position, upper tabs 756 and 744 of base730 may be secured between pin 716 and tab 710 of locker 700 situated onand above base 730. Referring to FIG. 7G, upper fastening tabs 768 ofupper collapsible locker 766 of vertical stack assembly 760(corresponding to fastening tabs 726 and 714 of locker 700) may bealigned with a left fastening tab 774 of top panel 770 when locker 766receives top panel 770, and the tabs may be secured together with a lockhasp or locking bar as will be described later herein.

FIG. 7I and FIG. 7J are example illustrations depicting a collapsiblelocker 701. Locker 701 is similar to locker 700 and further comprises aright side panel upper fastening tab 720. FIG. 7K and FIG. 7L areexample illustrations depicting a collapsible base 731. Base 731 issimilar to base 730 and further comprises a right side panel upperfastening tab 750. Right side upper panel fastening tabs 720 and 750 maybe used to interconnect adjacently situated vertical stack assemblies asin FIG. 7M. FIG. 7M is an example illustration depicting a partiallyassembled locker bank 780 comprising a plurality of collapsible lockers701, collapsible bases 731 and top panels 771 of which an exampleillustration is depicted in FIG. 7N. Top panel 771 additionallycomprises a right fastening tab 776 in addition to a left fastening tab774 also comprised by top panel 770. Three joining points 782, 784 and786 where fastening tabs may be secured together are shown in moredetail in FIG. 7O, FIG. 7P and FIG. 7Q, respectively. FIG. 7Oillustrates a joining point 782 for three collapsible lockers 701wherein fastening tabs of three lockers of adjacent rows and columns arejoined together with a common fastening pin, and in doing so results intwo adjacent rows and two adjacent columns being secured together.Joining point 782 joins together fastening tabs from collapsible lockers701 a, 701 b, and 701 d. Referring to FIG. 7O, joining point 782comprises rear panel lower fastening tab 724 d of locker 701 d, bottompanel fastening tab 710 d of locker 701 d, rear panel upper fasteningtab 726 a of locker 701 a, left side panel upper fastening tab 714 a oflocker 701 a and right side panel upper fastening tab 720 b of locker701 b. Tabs 724 d, 710 d, 726 a, 714 a and 720 b are joined togetherwith left side panel lower fastening pin 716 d. Referring now to FIG.7P, FIG. 7P illustrates joining point 784 for two collapsible bases 731a and 731 b, and collapsible locker 701 a wherein fastening tabs ofthree units of adjacent rows and columns are joined together with acommon fastening pin. Joining point 784 comprises rear panel lowerfastening tab 724 a of locker 701 a, bottom panel fastening tab 710 a oflocker 701 a, rear panel upper fastening tab 756 a of base 731 a, leftside panel upper fastening tab 744 a of base 731 a and right side panelupper fastening tab 750 b. Tabs 724 a, 710 a, 756 a, 744 a and 750 b arejoined together with left side panel lower fastening pin 716 a of locker701 a.

Referring now to FIG. 7Q, FIG. 7Q illustrates a joining point 786 forjoining two collapsible lockers 701 d and 701 e, and two top panels 771a and 771 b wherein fastening tabs of lockers of adjacent columns may bejoined together with fastening tabs of top panels using a sharedfastener. Joining point 786 comprises left fastening tab 774 a of toppanel 771 a, rear panel upper fastening tab 726 d of locker 701 d, leftside panel upper fastening tab 714 d of locker 701 d, right side panelupper fastening tab 720 e of locker 701 e and right fastening tab 776 bof top panel 771 b.

FIG. 7R is an example illustration depicting locker bank 780 of FIG. 7Mwith the assembly of the column comprising base 731 c and locker 701 ccompleted, and the assembly of the column comprising base 731 dcompleted. Top panels 771 a, 771 b, 771 c and 771 d may be secured tothe top row of collapsible lockers 701 d, 701 e, 701 f and 701 g bypassing a locking bar 792 through fastening tabs of joining points 787a, 787 b (corresponds to joining point 786 of FIG. 7M and FIG. 7Q), 787c, 787 d and 787 e. Locking bar 792 may comprise an end 794 formed toprevent passage of bar 792 fully through joining point 787 a, and hole796 which may pass through joining point 787 e. Once hole 796 has passedthrough joining point 787 e a lock hasp may be passed through hole 796and a lock secured thereto, such that locking bar 792 is locked in placeand thereby securing locker bank 780. Locking bar 792 may additionallybe passed through brackets (not shown) mounted to a supporting wall (notshown) in order to secure locker bank 780 to the supporting wall. Thiscan improve the stability of locker bank 780 and prevent unauthorizedremoval of locker bank 780. This added stability and securing againstunauthorized removal can be used and may be particularly useful insmaller locker bank configurations, vertical stack assemblies and singleunit configurations where a lower weight and size thereof may be moreprone to unauthorized removal.

The aforementioned collapsible locker system can be shipped in arelatively flat configuration when it is disassembled. This providessavings in shipping and delivery costs. The collapsible locker systemmay be easily and compactly transported to a location when needed, andeasily set up and taken down to be once again transported as needed toaddress temporary and dramatically fluctuating demands associated withtemporary secure storage. Furthermore, temporary secure storagearrangements using the aforementioned collapsible locker system can beflexibly configured to comprise individual lockers 700, vertical stackassemblies 760 and locker banks 780.

Chain of Custody with Intermediary Secure Storage Transfer Entities

In a chain of custody, each entity acting in the chain from originationto final receipt, including each intermediary, transfers control of theproperty under custody as appropriate with their position in the chain.Property transfers between chain origination and chain termination,where an intended recipient receives custody of property, may beauthenticated, captured, certified and securely recorded in order tosecurely document and certify a chain of custody, wherein eachparticipating entity is identified and authenticated, and each transfertransaction is accurately captured, certified and securely recorded.

Embodiments of secure locker systems may comprise a chain of custodyservice. A chain of custody service may be implemented to provide avaried scope of coverage. An embodiment may comprise a chain of custodyservice for transfers comprising secure temporary storage as aparticipating entity. When a secure lockable compartment as disclosedherein is used as an intermediary custody transfer entity, it can beuniquely identified and authenticated, and participate in a transferthat can be accurately captured and securely recorded. Furthermore, whena secure lockable compartment is used as an intermediary custodytransfer entity, it may be particularly beneficial to accurately captureand securely record the transfer, since without recorded documentationof a transfer, disputes arising from a property loss may not be fullyinvestigated. As such, an operator of a secure locker system may wish tooffer a secure storage platform comprising a secure chain of custodyservice. In an embodiment, an operator of a secure locker system maywish to offer a secure storage platform comprising a secure chain ofcustody service for transfers where a secure lockable compartment isused as an intermediary custody transfer entity. In an embodiment, anoperator of a secure locker system may wish to offer a secure storageplatform comprising a secure chain of custody service for some or alltransfers in a chain of custody from originating entity toend-recipient. In an embodiment, an originating entity or other entitiesin a chain of custody may specify a release authority, wherein a releaseauthority is a specification which may specify requirements and actionsnecessary to authorize a custodian to release property of custody in acustody transfer transaction, and transfer release authority obligationsto a receiving entity. As such, where secure storage is a participatingentity in a custody transfer transaction, a release authority mayspecify obligations of a storage platform and lockable compartmentthereof, when receiving custody, and requirements and actions for astorage platform to execute in releasing custody from a lockablecompartment to a receiving entity. Release authority specifications maycomprise, but are not limited to, mechanisms for authentication of areceiving entity, such as specifying a secure locker access applicationand account by which to authenticate a receiving party; mechanisms forproviding an access token to a receiving entity, such as specifying anemail address or phone number to which to send an access token;requiring one or more release mechanisms; and requiring multifactorauthentication.

The secure locker system with secure storage platform disclosed hereinprovides secure lockable compartments that can be uniquely identified bya unique lock ID (and location ID and locker ID) and require acryptographically secure single use access authentication code foraccess. As such, the provision of a single use access authenticationcode to an authenticated entity, and the use by that authenticatedentity of that single use access authentication code to access alockable compartment in order to execute a custody transfer of propertycan be accurately captured. Additional features of a secure chain ofcustody service will be disclosed later herein.

FIG. 8A depicts an example illustration of a chain of custody 800beginning with an originator 802, ending with a recipient 814 andcomprising two intermediary custodians, namely, intermediary custodian(1) 806 and intermediary custodian (2) 810. Originator 802 andintermediary custodian (1) 806 are linked with a custody transfer (1)804 wherein originator 802 transfers custody to intermediary custodian(1) 806 who thereupon receives custody. Intermediary custodian (1) 806and intermediary custodian (2) 810 are linked with a custody transfer(2) 808 wherein intermediary custodian (1) 806 transfers custody tointermediary custodian (2) 810 who thereupon receives custody.Intermediary custodian (2) 810 and recipient 814 are linked with acustody transfer (3) 812 wherein intermediary custodian (2) 810transfers custody to recipient 814 who thereupon receives custody. Forexplanatory purposes, in the example illustration of FIG. 8A, let thefollowing scenario apply: originator 802 is an online seller of an itemof computer equipment, namely, a computer disk drive; intermediarycustodian (1) 806 is a package delivery courier engaged by originator802 to deliver the computer disk drive to a purchaser thereof, namely,recipient 814; intermediary custodian (2) 810 is a lockable compartmentsituated near a residence of recipient 814 to which the courier is todeliver the disk drive; and recipient 814 is unavailable to receive thecomputer disk drive at the time the courier arrives to deliver it. Inthis scenario, a lockable compartment may be used as intermediarycustodian (2) 810 to take custody of and secure the computer disk driveuntil the availability of recipient 814 to receive and take custody ofthe disk drive, thereby permitting the package delivery courier tosatisfy a release authority and effect a delivery while preventing theftor loss of the disk drive until such time that recipient 814 isavailable to ultimately receive it. As such, in this scenario of exampleillustration chain of custody 800, a purchaser in an online transaction,purchases a disk drive from a seller who then engages a package deliveryservice to deliver the disk drive. Specifically, the seller (originator802) transfers custody (transfer (1) 804) of the disk drive to thepackage delivery courier (intermediary custodian (1) 806); the packagedelivery courier (intermediary custodian (1) 806) transfers custody(transfer (2) 808) of the disk drive to the lockable compartment(intermediary custodian (2) 810); and the lockable compartment(intermediary custodian (2) 810) transfers custody (transfer (3) 812) tothe purchaser (recipient 814).

FIG. 8B depicts an example illustration process 820 for processing andrecording a custody transfer 824 and updating a custody authenticationledger. Process 820 is initiated by a custody transfer 824, wherein areleasing entity 822, associated with party A, transfers custody to areceiving entity 826, associated with party B, who thereupon receivescustody of the property. In step 828, releasing entity 822 of transfer824, may specify, confirm or relay a release authority, or may executeactions specified therein. A custody transfer record comprising acertificate, also referred to as a certified custody transfer record,certified transfer record or certified record, is created anddistributed in step 830. The certified transfer record may be createdand distributed by a secure locker system, such as secure locker system100 of FIG. 1, further comprising a chain of custody service. In step830, the certified transfer record can be distributed to interestedparties, such as party A of transfer event 824, party B of transferevent 824, or a previous or planned entity such as an originator, if notparty A, or planned recipient if not party B. In step 832, a ledgerentry comprising an identifier of the certified transfer record, alsoreferred to as a transfer ID, and the certificate thereof is created andwritten to a custody transfer authentication ledger. The custodytransfer authentication ledger, also referred to as a custodyauthentication ledger or authentication ledger, may be maintained by asecure locker system, such as secure locker system 100 of FIG. 1,further comprising a chain of custody authentication service. A securechain of custody authentication service can be queried by holders ofcertified transfer records to verify the authenticity and integritythereof.

An example illustration combining chain of custody 800 of FIG. 8A andprocess 820 of FIG. 8B for processing a custody transfer is illustratedfor the delivery scenario of the online computer disk drive purchasediscussed above, and is shown in an example illustration depicting aprocess 800 a in FIG. 8C. Process 800 a depicts a chain of custodyprocess comprising a processing of three custody transfers 804 a, 808 aand 812 a. Process 800 a is discussed in conjunction with FIG. 8D whichis an example illustration depicting a system 840 that can be used withprocess 800 a of FIG. 8C. System 840 comprises a lockable compartment120, portable wireless devices 150 and 152, server based system 111 andnetwork 180. Portable wireless device 150 can be a device used by apackage delivery courier 806 a to assist in tracking and managingpackage deliveries, and portable wireless device 152 can be a smartphoneof an intended recipient 814 a of a package.

In transfer 804 a, a seller 802 a originates the chain of custody andtransfers custody of a package comprising a computer disk drive to apackage courier 806 a. Transfer 804 a comprises steps 828 a, 830 a and832 a. In step 828 a, seller 802 a specifies a release authorityspecifying a requirement for a signature of intended recipient 814 a oruse of a secure lockable compartment, such as lockable compartment 120.The release authority further specifies that the use of a lockablecompartment and release therefrom requires an authentication of therecipient using an authenticated app and user account (e.g. specifieslockable compartment access through use of a secure locker systemapproved seller app and an account user name of recipient 814 a to beused for release and receipt) or an access token which is to be sent toan email address of recipient 814 a also specified in the releaseauthority. In step 830 a, a certified transfer record of transfer 804 ais created and distributed to seller 802 a and delivery service ofcourier 806 a by a chain of custody service of server based system 111.In step 832 a a ledger entry comprising a transfer ID and a certificatefor certified transfer record of transfer 804 a is created and writtento a custody authentication ledger maintained by a chain of custodyauthentication service of server based system 111.

In transfer 808 a, package courier 806 a transfers custody of thepackage to lockable compartment 120, potentially after determiningrecipient 814 a in not available to receive and sign for the package. Instep 828 b, details of the release authority are relayed and executed.In particular, courier 806 a using portable wireless device 150 of FIG.8D accesses lockable compartment 120 to transfer custody of the packagethereto (and to securely store the package therein) and in the accessprocess relays the release authority specification that the release torecipient 814 a is required use of an authenticated app and a specifieduser account (i.e., relays the requirements specified in previoustransfer 804 a, that the lockable compartment access by recipient 814 arequires use of a secure locker system approved seller app and furtherrelays the account user name of recipient 814 a to be used forauthentication, release and receipt) or an access token which is to besent to the email address of recipient 814 a as specified therein.Access of lockable compartment 120 is made using portable wirelessdevice 150 comprising functionality of an app approved by a systemoperator of lockable compartment 120 which uses an embodiment of openlockable compartment process 440 of FIG. 4B. Since process 440 isdiscussed in detail earlier herein, it will be discussed briefly and inpart in conjunction with transfer 808 a.

In conjunction with transfer 808 a, an access request is made by courier806 a using portable wireless device 150 to open the lockablecompartment 120 in step 444. In step 446 portable wireless device 150checks to see if it is connected to a lock 122 via a short rangecommunications link 190, such as a Bluetooth link. Once connected, instep 448, portable wireless device 150, sends an open lock request toserver based system 111 via communications links 186 and 181 and network180 and an initiate access command to lock 122. In step 450, lock accesscontroller 128 of lock 120 starts an access timer and generates averification code. In step 452, sever based system 111 generates achallenge code and sends it to portable wireless device 150. In step454, portable wireless device 150 sends an open lock command and thechallenge code to lock 122. In step 456, lock access controller 128 oflock 122 compares the challenge code to the verification code. In step458, if the codes match and the access timer is still active, theprocess proceeds to step 464, wherein lock 122 opens and access tolockable compartment 120 is provided. In this embodiment of process 440and step 464 thereof, upon successful access, portable wireless device150 relays the release authority to server based system 111, whereinserver based system 111 generates a random access token, and sends it tothe email address of recipient 814 a specified in the release authority,then encrypts the token using the derivation key for lock 122 and sendsit in an open on token command to lock 122 via communications links 181and 184 and network 180 or via portable wireless device 150. Lock accesscontroller 128 of lock 122 decrypts the token and enables opening uponsuccessful entry of the token into a keypad 124 comprised by orotherwise operably connected to lock 122 and lock access controller 128thereof. Server based system 111 additionally executes the releaseauthority specification for authenticated access by the user account ofrecipient 814 a specified in the release authority, by assigninglockable compartment 120 thereto beginning upon conclusion of transfer808 a.

In step 464, lock 122 logs and reports the successful access transactionassociated with transfer 808 a to server based system 111 via portablewireless device 150. Lockable compartment 120 and lock access controller128 therein may comprise a communications link 184 to the secure lockersystem 111 via network 180 and link 181, and thereby may alternativelyor additionally report the access transaction associated with transfer808 a to server based system 111 in step 464. In an embodiment, lockablecompartment 120 may comprise a door status sensor 842, such that anopening and closing of a lockable compartment door 121 can be observedby lock access controller 128. These additional access events associatedwith transfer 808 a, and their time stamps can additionally be reportedto server based system 111. In an embodiment, lockable compartment 120may comprise a camera system 844 comprising an illumination source, suchthat the contents of lockable compartment 120 may be recorded prior toan opening of lock 122 and after a closing of door 121, and resultingimages and their time stamps can additionally be reported to serverbased system 111. The closing of door 121 in relation to these imagesmay be detected by the aforementioned door sensor 842 if present oralternatively observed by camera 844. This additional information can bereported to secure locker system 111 as an access event(s) associatedwith transfer 808 a to record a change of contents of lockablecompartment 120 associated with transfer 808 a, and as such, a placementof the package in lockable compartment 120 can be accurately recorded.Courier 806 a can be instructed to orient the package in lockablecompartment 120 such that a package label commonly used in packagedelivery services comprised thereon and comprising a readable codeindicating a package tracking number, is visible to camera system 844and will accordingly also be visible in an image captured after door 121is closed. In an embodiment, camera system 844 or lock access controller128 can comprise software to determine if a readable code is in factreadable given a current orientation of the package, and the system canprompt the courier via portable wireless device 150 to adjust theposition if needed to enable the code to be readable. In an embodiment,visual assistance showing the current view of camera system 844 can bedisplayed on portable wireless device 150 to assist courier 806 a in asatisfactory placement of the package. In step 830 b, a certifiedtransfer record for transfer 808 a is created and distributed to seller802 a and delivery service of courier 806 a by secure chain of custodyservice of server based system 111. In step 832 b a ledger entrycomprising a transfer ID and a certificate for certified transfer recordof transfer 808 a is created and written to a custody authenticationledger maintained by a chain of custody authentication service of serverbased system 111.

In transfer 812 a, lockable compartment 120 transfers custody of thepackage to recipient 814 a when recipient 814 a retrieves the packagetherefrom. In step 828 c of transfer 812 a, the recipient 814 a canenter into keypad 124 a release token sent by email from server basedsystem 111 in step 828 b to access lockable compartment 120, oralternatively, use an authenticated app, meeting the requirements of therelease authority as specified by seller in 828 a and relayed by courier806 a to server based system 111 in step 828 b, to access lockablecompartment 120. In the case of the access token, recipient 814 a entersthe release token into keypad 124, and access controller 128 of lock 122opens lock 122 if the entered token matches the token decrypted thereby.In the case of an authenticated app, recipient 814 a uses portablewireless device 152 on which the specified authenticated app is runningand is presently logged into the specified user account, to openlockable compartment 120 using an embodiment of process 440 of FIG. 4B.Since process 440 is discussed in detail earlier herein, it will bediscussed briefly and in part in conjunction with transfer 812 a.

In conjunction with transfer 812 a, an access request is made byrecipient 814 a using portable wireless device 152 to open the lockablecompartment 120 in step 444. In step 446 portable wireless device 152checks to see if it is connected to lock 122 via short range link 192.Once connected, in step 448, portable wireless device 152, sends an openlock request to server based system 111 via communications links 187 and181 and network 180 and an initiate access command to lock 122. In step450, lock access controller 128 of lock 120 starts an access timer andgenerates a verification code. In step 452, sever based system 111generates a challenge code and sends it to portable wireless device 152.In step 454, portable wireless device 152 sends an open lock command andthe challenge code to lock 122. In step 456, lock access controller 128of lock 122 compares the challenge code to the verification code. Instep 458, if the codes match and the access timer is still active, theprocess proceeds to step 464, wherein lock 122 opens and access tolockable compartment 120 is provided. In an embodiment, both an accesstoken and an authenticated app may be required for access when specifiedas such in a release authority. Where both are required, server basedsystem may indicate such requirement with the sending of the encryptedaccess token in steps 828 b and step 464 of process 440 in theembodiment thereof discussed in conjunction with step 828 b. In thismanner, lock access controller of 128 of lock 122 will require both thematching access token entry through keypad 124 and the access requestfrom the authenticated app on portable wireless device 152 as specifiedin the release authority. As such, a two part authentication can berequired and enforced directly by lock access controller 128 of lock122.

In step 464, lock 122 logs and reports the successful access transactionassociated with transfer 812 a to secure locker system 111 via portablewireless device 152. Lockable compartment 120 and lock access controller128 therein may comprise a communications link 184 to server basedsystem 111 via network 180 and link 181, and thereby may alternativelyor additionally report the access transaction associated with transfer812 a to server based system 111 in step 464. In an embodiment, lockablecompartment 120 may comprise door status sensor 842, such that theopening and closing of lockable compartment door 121 can be observed bylock access controller 128. These additional access events associatedwith transfer 812 a, and their time stamps can additionally be reportedto server based system 111. In an embodiment, lockable compartment 120may comprise camera system 844 comprising an illumination source, suchthat the contents of lockable compartment 120 may be recorded prior tothe opening of lock 122 and after the closing of door 121, and imagesand their time stamps can be additionally reported to server basedsystem 111. The closing of door 121 in relation to these images may bedetected by the aforementioned door sensor 842 if present oralternatively observed by camera 844. This additional information can bereported to secure locker system 111 as an access event(s) associatedwith transfer 812 a to record a change of contents of lockablecompartment 120 associated with transfer 812 a, and as such, a removalof the package in lockable compartment 120 can be accurately recorded.In step 830 c, a certified transfer record for transfer 812 a is createdand distributed to seller 802 a, delivery service of courier 806 a andrecipient 814 a by secure chain of custody service of server basedsystem 111. In step 832 c a ledger entry comprising a transfer ID and acertificate for certified transfer record of transfer 812 a is createdand written to a custody authentication ledger maintained by a chain ofcustody authentication service of server based system 111.

In the example chain of custody process 800 a of FIG. 8C, certifiedrecords for three transfers 804 a, 808 a and 812 a are created anddistributed in steps 830 a, 830 b and 830 c, respectively. In steps 832a, 832 b and 832 c, ledger entries are created and written to a custodyauthentication ledger. Recipients and holders of certified transferrecords received in steps 830 a, 830 b and 830 c can query anauthentication ledger at a current or future time to validate theauthenticity and integrity of a certified record. Server based system111 comprising a chain of custody service and chain of custodyauthentication service may comprise a custody event table 900, custodytransfer table 930 and a custody authentication table 960 of whichexample illustrations are depicted in FIG. 9A, FIG. 9B and FIG. 9C,respectively, and which may be used to record transfers and eventsthereof, comprise certified transfer records and comprise authenticationledger entries.

Custody event table 900 comprises event records related to custodytransfers, and the data comprised by custody event records may be usedto create certified custody transfer records. Examples of events relatedto custody transfers comprise, but are not limited to: specification of,relay of or an action report related to a release authority; accessevents of a lockable compartment by a releasing entity or receivingentity; door opening and door closing events of a lockable compartmentduring a transfer process therewith and images captured of a lockablecompartment and contents thereof prior to and after an access event by areleasing or receiving entity. Custody event table 900 comprises anevent ID column 904, an event type column 906, a transfer ID column 908,an event time column 910, a release ID column 912, a receive ID column914, a property ID column 916, a release data column 918 and a receivedata column 920. Custody event table 900 is depicted comprisingexemplary custody event records 901, 902 and 903.

Event ID column 904 comprises a unique identifier which is assigned toan event and may be used to refer to a specific custody event. Eventtype column 906 comprises classifications for events such as, but notlimited to, an access attempt by a releasing entity, and access attemptby a receiving entity, a successful access attempt, a failed accessattempt, a door opening, a door closing, an image capture comprising apackage tracking bar code, a release authority specification, an accesstoken generated and emailed per a release authority specification, arecipient authentication per a release authority specification, and thelike. Transfer ID column 908 comprises identifiers assigned by chain ofcustody service of server based system 111 to uniquely identify acustody transfer. Both a releasing entity and a receiving entity of acustody transfer may submit custody events related to a transfer, andeach may submit more than one event related to a transfer. As such, anassignment of a given transfer ID may be applied to one or more eventsrelated to a given transfer. Transfer ID assignment will be discussed inmore detail later herein. Event time column 910 comprises a date andtime stamp for an event and may be specified by the entity reporting theevent.

Release ID column 912 comprises a participant ID identifying thereleasing entity in the custody event. All intermediary custodians in achain of custody service comprise unique participant IDs. For example, adelivery courier participating in the custody transfer service, has aunique participant ID within the secure locker system, such that theycan be authenticated for participation in a custody transfer by theirID, and a secure lockable compartment can be uniquely identified by aunique location ID and locker ID combination. Furthermore, eachparticipant, such as each participating lockable compartment orparticipating courier, can be specifically referenced by this ID in acustody event or transfer record. Release ID column 912 may comprise IDsassociated with originators or intermediary custodians releasing aproperty of the current custody event. An originator and a recipient mayhave an account comprising a unique participant ID within the system, ormay be sponsored for participation in the service by a participant. Forexample, a package delivery courier may sponsor an originator or anend-recipient as part of a chain of custody in which the packagedelivery courier is a participant. Or, an originator may sponsor anend-recipient. For example, an online retailer may sponsor anend-recipient. In cases of sponsorship, a unique ID may be assignedwithin server based system 111 at the time of sponsorship, such as whena release authority is transmitted to a server based system 111 whichidentifies a sponsored participant. Assignment of a unique ID may bemade based on data specified in a release authority used to identify ornotify a participant, such as an email address and/or mobile phonenumber to which to send an access token needed to access a lockablecompartment serving as an intermediary custodian. As such, a participantID assigned to a given sponsored participant may be reapplied to thesame sponsored participant similarly specified in other releaseauthorities specified in other custody transfers. Receive ID column 914,comprises a participant ID for a receiving entity of a custody event.

Property ID column 916 comprises IDs which may be assigned by anoriginator or an intermediary custodian and specified in a releaseauthority which is sent to server based system 111. A property ID refersto the property of custody in a custody event. In the case of a custodyevent associated with package delivery, a property ID may be a packagetracking number which are actively used by package delivery services.Major package delivery couriers may recycle use of package trackingnumbers, and as such, property IDs may not be unique. However, arecycling may not occur for many months and within the time span of achain of custody of a delivered package, a package tracking number isunique. A property ID may be generated and assigned by server basedsystem 111 if none is specified.

Release data column 918 and receive data 920 comprise data that areleasing participant and a receiving send to server based system 111for inclusion in a custody event record and custody transfer record. Forexample, a releasing participant which is a package delivery courier maywish to note that an unsuccessful attempt to reach an end-recipient wasmade at a specific time, and alternatively custody transfer to alockable compartment per a release authority will be attempted. Or datamay comprise information, such as but not limited to, weatherconditions, images related to a package placed in a lockable compartmentwhich may have been taken with a portable wireless device used to accessthe compartment or a camera system comprised by the compartment, imagesof a package retrieved from a compartment. Data in columns 918 and 920are initially part of event records in table 900 and may be processedand included in custody transfer records within table 930 of FIG. 9Bwhich may be certified and distributed to participants in a chain ofcustody. Accordingly, information useful to document a transfer, such asthe property transferred, the condition of the property transferred,circumstances surrounding the transfer that are desired to be made ofrecord and shared with the participants of the chain of custody may becommunicated to server based system 111 for inclusion in columns 918 and920.

Custody transfer table 930 of FIG. 9B comprises custody transfer recordscreated from custody event records from table 900 and share some similarcolumns therewith. Custody transfer table 930 comprises a transfer IDcolumn 934, transfer type column 936, chain ID column 938, transfer timecolumn 940, release ID column 942, receive ID column 944, property IDcolumn 946, releasing event data column 948, receiving event data column950 and record certificate 952. Custody transfer table 930 is depictedcomprising exemplary custody transfer records 931, 932 and 933.

A transfer ID within transfer ID column 934 is first assigned by custodytransfer service of server based system 111 to one or more custody eventrecords in table 900, and is an identifier for a custody transfer and,as such, is generally associated with only one record in custodytransfer table 930. Given a unique result from a combination of areleasing ID, a receiving ID and a property ID, in a first recordedcustody event submission in table 900, a new transfer is generallyindicated and a new transfer ID can be assigned thereto. Subsequentcustody events comprising the same combination of releasing ID,receiving ID and property ID can be assigned to the same transfer andtherefore be assigned the same transfer ID. It is highly unlikely butremotely possible that a property ID is recycled or two identicalproperty ID can be coincidentally submitted by different parties, andthe same releasing entity (and releasing ID), and same receiving entity(and receiving ID) are engaged in a second custody transfer involvingthe same property ID. However, given a reasonable time window over whichto consider custody events for inclusion in a transfer and assignment ofa particular transfer ID, eliminates a possible erroneous assignment. Anoperator of a custody transfer service may choose a maximum time forwhich to leave open multiple assignments of a transfer ID to custodyevent submissions, such as a maximum custody transfer time (e.g. 5minutes), or a short delay (e.g. 5 seconds) following a probable finalcustody event of a custody transfer is received, such as an eventsubmission indicating the transfer has completed. Or both methods may beemployed, wherein the first to occur is used as a closing time for eventsubmissions. Regardless of how a closing time for event submissionsrelated to a transfer ID is chosen, an earliest possible time ispreferred in order for a timely creation and distribution of a custodytransfer record documenting the transfer.

Transfer type column 936 comprises a classification of custodytransfers, such as but not limited to, originating transfer,intermediary transfer, end-recipient transfer, transfer to securelockable compartment, transfer from secure lockable compartment. ChainID column 938 comprises identifiers assigned by chain of custody serviceof server based system 111 to uniquely identify a chain of custody. Thesame chain ID is assigned to each transfer record comprised by a chainof custody. A chain ID is established by an occurrence of a releasing IDand property ID having no corresponding prior receiving ID with theproperty ID for the same participant ID. When the receiving ID is equalto a subsequent releasing ID for the same property ID, the releasing IDand property ID of the current transfer are part of an existing chain ofcustody. An originating transfer can be defined, at least in part as anoccurrence of a releasing ID and property ID having no correspondingprior receiving ID with the property ID for the same participant ID. Abroken chain of custody, where a transfer is unreported, or anon-reported originating transfer results in a newly assigned chain IDassignment to an intermediary transfer rather than an originatingtransfer.

Release ID column 942, receive ID column 944 and property ID column 946indicate participants and property in the same manner as in custodyevent table 900. Release event data column 948 and receive event datacolumn 950 for a given transfer record comprise event data from one ormore respective release column 918 or receive data column 920 of one ormore custody event records comprising the transfer ID of the giventransfer record, and may further comprise event type 906 and event time910 column data. In this manner, a custody transfer record may comprisea complete account of submitted data for a custody.

As discussed in conjunction with steps 830 of FIG. 8B and 830 a, 830 band 830 c of FIG. 8C, a certified custody transfer record can be createdby a secure chain of custody service of server based system 111. Theserecords can reside in custody transfer table 930 as described in theforegoing discussion. However, until the generation and addition of arecord certificate in column 952, they are custody transfer records andnot certified custody transfer records. Record certificate 952 can becryptographic hash of record fields of columns 934, 936, 938, 940, 942,944, 946, 948 and 950, such as an SHA-3 compliant hash, as published bythe National Institute of Standards and Technology (NIST) in FederalInformation Processing Standards Publication 202 (FIPS PUB 202), SHA-3Standard: Permutation-Based Hash and Extendable-Output Functions, August2015. A cryptographic hash of record fields of columns 934, 936, 938,940, 942, 944, 946, 948 and 950 of a record, creates a digitalfingerprint thereof for use as a certificate for inclusion in recordfield record certification column 954. Any alteration of record fieldsof columns 934, 936, 938, 940, 942, 944, 946, 948 and 950 results in anunpredictable change in the certificate, and the potential to modify arecord and preserve a certificate value is highly improbable. As such, arecord may be authenticated using a certificate known to be valid for asubsequent calculation of a hash of the fields, wherein should amatching hash result from the fields, the record is determined to beauthentic and the integrity of the information therein is verified.

As discussed in conjunction with step 832 of FIG. 8B and steps 832 a,832 b and 832 c of FIG. 8C, ledger entries comprising transfer IDs andcertificates for certified transfer records created and distributed instep 830 of FIG. 8B and steps 830 a, 830 b and 830 c of FIG. 8C, arecreated and written to a custody authentication ledger maintained by achain of custody authentication service of server based system 111.Custody authentication ledger table 960 of FIG. 9C can be maintainedsuch that it does not comprise sensitive information and informationtherein can be made available with few or no restrictions.Authentication ledger 960 comprises a transfer ID column 964, a recordcertificate column 966 and a time of recording column 968. Transfer IDcolumn 964 and record certificate column 966 correspond to transfer IDcolumn 934 and record certificate column 952 of custody transfer table930. Time of recording column 968 comprises the date and time a ledgerentry was created and written to ledger 960. Custody authenticationledger table 960 is depicted comprising exemplary custody authenticationledger records, also called ledger entries, 961, 962 and 963.

In an embodiment, an authentication ledger can be a blockchain ledgerand may be maintained by multiple entities, such as entities havingregular participation in chain of custody transfers, for example,package delivery services, leading online retailers and a secure lockersystem operator. Multiple participating entities can operate blockchainnodes to enforce a consensus agreement required therefrom as arequirement for adding a block of ledger entries to the blockchain. Ablockchain so maintained can be immutable and certifications thereon inthe form of leger entries can be relied on for validating certifiedchain of custody records accordingly. Furthermore, a blockchain somaintained retains a consensus capability and comprises redundancy andcontinued availability when greater than 50% of the nodes are operableand available.

FIG. 9D is an example illustration depicting a portion of a blockchaincustody authentication ledger 970 comprising block (x) 972, block (x+1)978 through block (x+y) 984, where x and y are positive integers and yis greater than 2. Blockchain 970 is secured using a cryptographic hashfunction such as an SHA-3 compliant hash, as published by the NationalInstitute of Standards and Technology (NIST) in Federal InformationProcessing Standards Publication 202 (FIPS PUB 202), SHA-3 Standard:Permutation-Based Hash and Extendable-Output Functions, August 2015. Thecontents of each block are secured with a cryptographic hash and eachblock is linked to its previous block by the inclusion of the hash ofthe previous block. This arrangement can be seen in FIG. 9D, whereineach block comprises a hash of the previous block and a current hash inaddition to ledger entries. Block (x) 972 comprises previous hash (x−1)974 and current hash (x) 976; block (x+1) 978 comprises previous hash(x) 980 and current hash (x+1) 982, wherein previous hash (x) 980 ofblock (x+1) 978 is equal to current hash (x) 976 comprised by block (x)972; and block (x+y) 984 comprises previous hash (x+y−1) 986 and currenthash (x+y) 988. Each block of blockchain 970 comprises b ledger entries,or stated another way, b is the size of the blocks as measured by thenumber of ledger entries. Three ledger entries in block (x) 972 arereferenced. They are ledger entry (1) 961, ledger entry (2) 962 andledger entry (n) 963. The chain of linked cryptographic hashes means anychange in the contents of any ledger entry in any block will alter thecurrent hash calculated for the altered block and the current hashescalculated for all blocks following the altered block. For example, achange to ledger entry (2) 962 of block (x) 972 will alter thecalculated current hash (x) 976, which will alter previous hash (x) 980of block (x+1) 978 (since it is set equal to current hash (x) 976 ofblock (x) 972), which will change the calculated current hash (x+1) 982for block (x+1) 978, which then similarly propagates changes through thesubsequent blocks. Thus any alteration of a blockchain authenticationledger, even a single bit in a ledger entry, for a participatingblockchain node will cause the node comprising the alteration toincorrectly calculate a current hash calculation for a new block to beadded to the blockchain. The node comprising the alteration will fail tomeet a consensus determination of a correct current hash and can beflagged as comprising invalid ledger entries and decommissioned untilthe issue inconsistency is resolved. As such, the blockchainauthentication ledgers are immutable and the ledgers of the remainingnodes can be relied on with confidence in the authentication ofcertified custody records.

FIG. 8E is an example illustration of a process 850 for maintainingchain of custody records and an authentication ledger which can beprovided as services to document, report and authenticate chain ofcustody transactions, such as transfers 804 a, 808 a and 812 a asdiscussed in reference to FIG. 8C. A server based system, such as serverbased system 111 of secure locker system 100 of FIG. 1A and server basedsystem 111 of FIG. 8D, may further comprise a chain of custody service870 and a chain of custody authentication service 872. Process 850depicts a chain of custody having n transfers, namely, transfer (1) 854,transfer (2) 858 through transfer (n) 864. Transfer (1) 854 comprises atransfer from an originator 852 to an intermediary custodian (1) 856.Transfer (2) 858 comprises a transfer from intermediary custodian (1)856 to an intermediary custodian (2) 860. Transfer (n) 864 comprises atransfer from an intermediary custodian (n−1) 862 to a recipient 866. Assuch, when n=3, intermediary custodian 860 and intermediary custodian862 are the same custodian and the chain of custody of process 850resembles chain of custody 800 illustrated in FIG. 8A which comprisestransfer (1) 804, transfer (2) 808 and transfer (3) 812. In the exampleillustration of FIG. 8E, custody transfers 854, 858 through 864, resultin the creation of n certified custody transfer records, namely,certified transfer record (1) 931, certified transfer record (2) 931through certified transfer record (n) 932, which can also be seen in theexample illustration of custody transfer table 930 of FIG. 9B. Certifiedtransfer records 931, 932 through 933 are certified and thereforecomprise certificates in column 952. In custody authentication ledgerentries are created, namely, authentication ledger entry (1) 961,authentication ledger entry (2) 962 through authentication ledger entry(n) 963, comprising these record certificates, which can also be seen inthe example illustrations of custody authentication ledger table 960 ofFIG. 9C and blockchain custody authentication ledger 970 of FIG. 9D eachcomprising authentication ledger entry (1) 961, authentication ledgerentry (2) 962 through authentication ledger entry (n) 963.

Post-Delivery Redirected Delivery, En Route Delivery and Other FlexibleDelivery and Dispatch Services

In various embodiments, a secure locker system comprising chain ofcustody services can provide various secure delivery and dispatchservices comprising post-delivery redirected delivery, en route andimpromptu delivery and dispatch services and other flexible delivery anddispatch services. For example, an intended recipient may be notifiedthat a package has been delivered to a lockable compartment at theircondominium residence while they are away from home. Yet they wouldbenefit from receiving the package prior to their planned return home.In an embodiment, they can authorize and schedule a transfer of custodyto a delivery service and have the package securely collected from thelockable compartment and delivered to their present location, plannedfuture location or securely delivered to a lockable compartment in aconvenient proximity thereto. In an embodiment, an intended recipientmay be traveling and may have a package delivery synchronized with theirtravel itinerary such that delivery is made to a secure lockablecompartment conveniently accessible while traveling. In an embodiment, aperson may dispatch a package for delivery while traveling by accessinga lockable compartment, transferring custody of the package thereto andscheduling a transfer of custody to a delivery service. In anembodiment, a person may have temporarily secured property in a lockablecompartment, such as in a lockable compartment at a sporting event or ata concert venue, and later have their items delivered to them ratherthan return to the lockable compartment themselves. In such a situation,they schedule an impromptu transfer of custody to a delivery service tohave their items delivered to a present location, planned futurelocation or securely delivered to a lockable compartment in a convenientproximity thereto.

An example illustration of a post-delivery redirected delivery process1000 is depicted in FIG. 10A. Post-delivery redirected delivery process1000 begins in step 1002, and in step 1004 a user receives anotification of a delivery for which they are the intended end-recipientand which has been made to a lockable compartment. A user may decidethey want to investigate having a delivery service deliver the packageto a more convenient location given their present circumstances. Forexample, the user may be expecting a late return home, and would benefitfrom a same-day redirected delivery to their current location. Or theuser may be traveling and would benefit from a next-day redirecteddelivery to a planned location the following day. When a redirecteddelivery is of interest, a user can investigate post-delivery redirecteddelivery options in step 1006. If, in step 1008, a user chooses not toschedule a redirected delivery the process ends in step 1010. If a userchooses to schedule a redirected delivery, the process proceeds to step1012. In step 1012, the user engages a service for post-deliveryredirected delivery and updates or otherwise establishes a releaseauthority with the secure storage platform which specifies the engagedservice as a receiving entity for the transfer of custody from thesecure lockable compartment comprising the package, and furtherspecifies the user as the end-recipient. Thus in the case of an updatedrelease authority, the chain of custody is extended, or in the case of anewly established chain of custody, a new chain is created where anoriginating transfer may be recorded with the user specified as anoriginator that is transferring custody to a receiving secure lockablecompartment. In the case of a courier differing from the courier makingthe initial delivery, the latter option of establishing a new chain maybe preferred. In the case of the original courier being re-engaged forthe post-delivery redirect, the former option of extending the chain ofcustody may be preferred. Regardless of which method is chosen, therelease authority now permits the engaged service to complete thepost-delivery redirected delivery and the process ends in step 1014.

An example illustration of an en route delivery process 1020 is depictedin FIG. 10B. En route delivery process 1020 begins in step 1022. In step1024, a user receives a notification of a planned delivery, or plans adelivery that is anticipated or is desired to be delivered when the useris traveling. In step 1026 the user investigates options to have thepackage delivered while they are traveling. In an embodiment,functionality may be provided to synchronize delivery services with auser's travel itinerary in order to present available options, which maybe sorted by cost, proximity and the like. If, in step 1028, a userdecides not to schedule an en route delivery, the process ends in step1030. If the user decides to schedule an en route delivery, the processproceeds to step 1032. In step 1032, the user engages a service for enroute delivery. If the package has yet to ship from an originator, a newrelease authority is created which specifies the engaged service as areceiving entity for a transfer of custody from the originator, the useras the end-recipient of an en route delivery, and an en route deliverylocation. If the package has already shipped, a current releaseauthority is updated to permit the current courier to change thedelivery location to an en route location with the user as theend-recipient. Regardless of which case is used, namely, a new orupdated release authority, the release authority permits the engagedservice to make an en route delivery and the process ends in step 1034.

An example illustration of an impromptu and planned dispatched deliveryprocess 1040 is depicted in FIG. 10C. Impromptu and planned dispatcheddelivery process 1040 begins in step 1042. In step 1044, a user havingplaced property in a lockable compartment then later considers having itdelivered (impromptu), or a user with property that they may want tohave delivered (dispatched) investigates dispatch delivery options. If,in step 1046, a user decides not to schedule a dispatch delivery, theprocess ends in step 1048. If the user decides to schedule a dispatchdelivery, the process proceeds to step 1050. In step 1050, a userdispatching property places it in a lockable compartment. For animpromptu dispatching, the property is already in the lockablecompartment. In step 1052, the user engages a service for the dispatchdelivery. For the impromptu delivery, a release authority is created orupdated, permitting the lockable compartment to release custody to aspecified dispatch courier for delivery to a recipient specified by andwhich typically is the user. For a dispatch delivery, a releaseauthority is created permitting the lockable compartment to releasecustody to a specified dispatch courier for delivery to a recipientspecified by and which may be the user. Regardless of which case isused, namely, a newly created or updated release authority, the releaseauthority permits the engaged service to collect the property from thelockable compartment and make the dispatch delivery and the process endsin step 1054.

Secure Claim Check and Valet Services

In an embodiment, a secure storage platform can secure property in aclaim check based service that may be supervised by a proximateattending operation, such as hotel bag-check services. Of a similarnature to bag-check services are coat-check services. Also of similarnature are valet services, where control of a vehicle is temporarilytransferred by transferring the keys for the vehicle to a valetattendant. In a claim check application and in a vehicle valet servicecomprising a secure storage platform and chain of custody service, atransfer of custody of checked property and keys (and indirectly valetedvehicles), and a return transfer thereof, can be securely captured andrecorded. In an embodiment, theft of a checked or valeted item such as achecked bag of luggage or a set of car keys (and associated vehicle) canbe detected and may be tracked for a potential recovery thereof.

FIG. 11A is an example illustration of a secure storage system 1100comprising a claim check service. System 1100 comprises a server basedsystem 111 comprising a claim check service, and an electronic lockabletag 1101, also referred to herein as an e-tag. Generally, a claim checkservice comprises a plurality of e-tags commensurate for an upperpotential quantity of concurrently checked items. E-tag 1100 compriseslock access controller 1102 comprising a code derivation key and lastaccess code for generating a verification code for comparison to areceived challenge code, whereupon a matching verification code andchallenge code lock access controller 1102 opens a lock 1103. Dissimilarto a lockable compartment application disclosed earlier herein, e-tagsmay be secured to property when assigned custody thereof, rather thansecuring access to property as in the case of lockable compartment 120comprising smart lock 122 of FIG. 8D. System 1100 further comprises anoperator device 113 and a user device 154 capable of communications withlock access controller 1102 via communications links 198 and 194,respectively, and server based system 111 via communications links 183and 188, respectively, over a network 180 and a communications link 181of server based system 111.

FIG. 11B is an example illustration of a process 1120 to check propertywhich begins in step 1122. In step 1124, a code 1106 of e-tag 1101 maybe scanned by a user of portable wireless device 154 and checking theirproperty with the claim check service. For example, a user checking abag may be presented with e-tag 1101 and scan code 1106 thereon using asecure storage app and account recognized by server based system 111 andrunning on their portable wireless device 154. This action assigns e-tag1101 for use by the user to check property thereof. Alternatively, if auser does not have a portable wireless device comprising an app andaccount recognized by sever based system, an operator can register theuser within the system using operator device 113 and scanning code 1106to assign e-tag 1101 to the user. In an alternative embodiment, analternative method for assignment can be used, such as a claim checkoperator can reference a user account, such as a conference registrationor a hotel registration and link the assignment thereto. Alternatively,server based system 111 may make a selection and assignment and flash anindicator 1104, such as an LED indicator, to alert an operator of theassignment. After e-tag 1101 is assigned in step 1124, in step 1126 arelease authority specifying a release to the user as an end-recipientis created and a custody transfer is initiated. An embodiment of aprocess similar to process 440 of FIG. 4B to open a lockable compartmentis used to open lock 1103. Process 440 has been previously discussed indetail and only a brief discussion to clarify the current processembodiment will be discussed. In the current embodiment, a device thatwas used in the assignment of e-tag 1101 in step 1124, namely, eitheroperator device 113 or user portable wireless device 154 connects tolock access controller 1102 (step 446 of process 440), via communicationlink 198 or 194, respectively. In an alternative embodiment, whereassignment was made by server based system 111, then operator device 113can be used in the current embodiment of process 440. Regardless ofwhich device is used, lock 1103 is open thereby in cooperation withserver based system 111 as illustrated in process 440 FIG. 4B. In step1128, e-tag 1101 is secured to the property being checked by closing thehasp of lock 1103 and attaching lock to a feature of the property suchthat it is secured thereto. For example, closing 1103 such that e-tag1101 is secured to a handle, or feature thereof, of a luggage bag. Or inthe case of a valet service, to a key fob remote or key to a vehicle.Once the e-tag is secured to the property, custody is transferred toe-tag 1101 as described in process 820 of FIG. 8B, wherein releasingentity 822 is the user and the receiving entity 826 is e-tag 1101. Instep 1128, an image of the checked property may be captured by portablewires device 113 or 154 and communicated to server based system 111 forinclusion in custody event table 900 of FIG. 9A and custody transfertable 930 of FIG. 9B, to document the property being checked. Process1120 ends in step 1130.

FIG. 11C is an example illustration of a process 1140 to claim checkedproperty which begins in step 1142. In step 1144, code 1106 of e-tag1101 may be scanned by a user of portable wireless device 154 claimingtheir property checked with the claim check service using a securestorage app and account recognized by server based system 111 andrunning on their portable wireless device 154. Alternatively the usermay select a function of the app to show currently checked items toretrieve the e-tag based claim check. If operator device 113 or serverbased system 111 was used to assign e-tag 1101 in step 1124 of process1120, it may alternatively be used to scan or otherwise retrieve e-tag1101 after the identity of the user is verified by an operator of thechecked storage service. Once e-tag 1101 is determined to be the e-tagwith custody of the property of interest, server based system, viaportable wireless device 154 or operator device 113 may indicate e-tag1101 by actuating indicator 1104. In step 1146, the user isauthenticated, either through use of their device 154 and secure storageapp and account running thereon, or through identity information enteredby the operator on operator device 113. Upon authentication, custody istransferred back to the user per the release authority, as described inprocess 820 of FIG. 8B, wherein releasing entity 822 is e-tag 1101 andthe receiving entity 826 is the user. In step 1146, an image of theclaimed property may be captured by portable wires device 113 or 154 andcommunicated to server based system 111 for inclusion in custody eventtable 900 of FIG. 9A and custody transfer table 930 of FIG. 9B, todocument the property being claimed. After custody has been transferredto the user, e-tag 1101 is released, namely, lock 1103 is opened, ande-tag 1101 is removed from the checked property using an embodiment ofprocess 440 of FIG. 4B, as described above to secure e-tag 1101 to theproperty. Process 1140 ends in step 1150.

In an embodiment, e-tag 1101 may further comprise a tracking device 1105comprising a location or trackable feature, such as a global positioningsystem (GPS) capability, and long range communications capability, suchas a low-power wide-area network (LPWAN), like ultra-narrowband (UNB).Tracking device 1105 may periodically report its current position to areceiver (not shown) which in turn reports the location of e-tag 1101 toserver based system 111. As such, if property in custody of, and towhich e-tag 1101 is attached, is stolen, it may be tracked andpotentially recovered. Furthermore, when e-tag recognizes movement (adifference in successive GPS readings), it may increase the frequency ofposition reports, at the expense of battery (not shown) capacityconsumption, to support a potential tracking effort. Furthermore, apermitted location or proximate location for e-tag 1101 may beestablished, such that if e-tag 1101 reports a violating location, analert can be issued by server based system 111 indicating a potentialtheft of the property in custody of e-tag 1101.

In an embodiment, a lower cost implementation comprising simplenon-electronic printed tags (non-e-tags) having readable codes can beused, wherein the readable codes are read by portable wireless devices113 and 154 to assign non-e-tags and transfer custody thereto andtherefrom. Obviously, these tags are not lockable to property, orcapable of utilizing single use access identification codes to securelymanage attachment and release. Furthermore, these tags are not capableof further comprising tracking device 1105 for tracking.

The possible and illustrative embodiments disclosed herein should not beconstrued as an exhaustive list. Rather the various embodimentspresented serve to illustrate only some of the various ways to practicethe invention and many additional combinations of features andconfigurations are possible within the scope of the invention disclosedherein. It is to be understood that the detailed example embodiments ofthe present invention disclosed herein are merely illustrative of theinvention that may be embodied in various forms. In addition, each ofthe examples given in connection with the various embodiments of theinvention is intended to be illustrative, and not restrictive.

What is claimed is:
 1. A secure storage system comprising: a pluralityof lockable compartments comprising controllable electromechanicallocks, the controllable electromechanical locks providing controlledaccess to the lockable compartments; one or more lock accesscontrollers, each configured to control at least one of the controllableelectromechanical locks and comprising a verification code generator togenerate verification codes useable to process access requests to accessa lockable compartment; and a server based system comprising a challengecode generator to generate challenge codes useable to process accessrequests, wherein in response to a received access request to access alockable compartment comprising a controllable electromechanical lockcontrolled by a lock access controller: the challenge code generator ofthe server based system generates and provides a challenge code inresponse to the access request and for submission to the lock accesscontroller controlling the controllable electromechanical lock of thelockable compartment of the access request; the verification codegenerator of the lock access controller controlling the controllableelectromechanical lock of the lockable compartment of the access requestgenerates a verification code in response to the access request; thelock access controller controlling the controllable electromechanicallock of the lockable compartment of the access request receives thechallenge code generated by the challenge code generator of the serverbased system; and the lock access controller controlling thecontrollable electromechanical lock of the lockable compartment of theaccess request opens the controllable electromechanical lock to provideaccess to the lockable compartment of the access request if theverification code is equal to the received challenge code.
 2. The securestorage system of claim 1, wherein the lock access controller does notopen the controllable electromechanical lock controlling thecontrollable electromechanical lock of the lockable compartment of theaccess request to provide access to the lockable compartment if theverification code is not equal to the received challenge code.
 3. Thesecure storage system of claim 1, wherein the received access request toaccess a lockable compartment is received from a user device used by auser to rent the lockable compartment.
 4. The secure storage system ofclaim 1, wherein the challenge code generator of the server based systemcomprises a plurality of code derivation keys and a plurality of inputcodes, wherein each of the controllable electromechanical locks of theplurality of lockable compartments has an associated code derivation keyand an associated input code, and the challenge code generator uses thecode derivation key and the input code associated with the controllableelectromechanical lock of the lockable compartment of the access requestto generate the challenge code.
 5. The secure storage system of claim 4,wherein following the generating of the challenge code the challengecode generator of the server based system modifies the input codeassociated with the controllable electromechanical lock of the lockablecompartment of the access request with the generated challenge code. 6.The secure storage system of claim 5, wherein the modification of theinput code associated with the controllable electromechanical lock ofthe lockable compartment of the access request comprises setting theinput code equal to the generated challenge code.
 7. The secure storagesystem of claim 4, wherein the verification code generators of the oneor more lock access controllers configured to control at least onecontrollable electromechanical lock comprise at least one codederivation key and at least one input code, wherein each of the at leastone controllable electromechanical locks controlled by the one or morelock access controllers has an associated code derivation key and anassociated input code, and the verification code generator of the lockaccess controller controlling the electromechanical lock of the lockablecompartment of the access request uses the code derivation key and theinput code associated with the controllable electromechanical lock ofthe lockable compartment of the access request to generate theverification code.
 8. The secure storage system of claim 7, whereinfollowing the generating of the verification code, the verification codegenerator of the lock access controller controlling theelectromechanical lock of the lockable compartment of the access requestmodifies the input code associated with the controllableelectromechanical lock of the lockable compartment of the access requestwith the generated verification code.
 9. The secure storage system ofclaim 8, wherein the modification of the input code associated with thecontrollable electromechanical lock of the lockable compartment of theaccess request comprises setting the input code equal to the generatedverification code.
 10. The secure storage system of claim 7, wherein thecode derivation key comprised by the verification code generator of thelock access controller used to generate the verification code and thecode derivation key comprised by the challenge code generator of theserver based system used to generate the challenge code are created fromrandomly generated component parts that are mutually exchanged andcomprise a system code derivation key component part randomly generatedby the server based system and a randomly generated lock code derivationkey component part not generated by the server based system.
 11. Thesecure storage system of claim 7, wherein the input code comprised bythe verification code generator of the lock access controller used togenerate the verification code and the input code comprised by thechallenge code generator of the server based system used to generate thechallenge code are created from randomly generated component parts thatare mutually exchanged and comprise a system input code component partrandomly generated by the server based system and a randomly generatedlock input code component part not generated by the server based system.12. The secure storage system of claim 1, wherein at least one of theone or more lock access controllers is comprised by a lock controllerboard is configured to control a plurality of controllableelectromechanical locks.
 13. The secure storage system of claim 1,wherein at least one of the one or more lock access controllers iscomprised by a smart controllable electromechanical lock and isconfigured to control the smart controllable electromechanical lock. 14.The secure storage system of claim 1, wherein the verification codegenerated by the verification code generator of the lock accesscontroller in response to an access request may only be used inconjunction with a single access request.
 15. The secure storage systemof claim 14, wherein the verification code generated by the verificationcode generator of the lock access controller in response to an accessrequest may only be used prior to an expiration of an access timerstarted in conjunction with the access request, thereby limiting theuseful life of the verification code.
 16. The secure storage system ofclaim 15, wherein the access timer started in conjunction with theaccess request is less than or equal to one second.
 17. A secure storagesystem comprising an initialize lock command and further comprising: aplurality of lockable compartments comprising controllableelectromechanical locks, the controllable electromechanical locksproviding controlled access to the lockable compartments; one or morelock access controllers, each configured to control at least one of thecontrollable electromechanical locks and comprising a verification codegenerator to generate verification codes useable to process service andaccess requests to service and access a lockable compartment, whereinthe verification code generators of the one or more lock accesscontrollers configured to control at least one controllableelectromechanical lock comprise at least one code derivation key, atleast one input code and at least one service mode token, and whereineach of the at least one controllable electromechanical locks controlledby the one or more lock access controllers has an associated codederivation key, an associated input code and an associated service modetoken, each of which may be a default or pre-established value prior toa lock initialization; a server based system comprising a system publickey which is made available to devices cooperating in an initialize lockcommand, a system private key and a challenge code generator to generatechallenge codes useable to process service and access requests toservice and access a lockable compartment, wherein the challenge codegenerator of the server based system comprises a plurality of codederivation keys, a plurality of input codes and a plurality of servicemode tokens, wherein each of the controllable electromechanical locks ofthe plurality of lockable compartments has an associated code derivationkey, an associated input code and an associated service mode token, eachof which may be a default or pre-established value prior to a lockinitialization; and an operator device usable by a user to initialize anelectromechanical lock by establishing a new code derivation key and anew input code associated therewith, the operator device comprising anoperator device public key which is made available to the server basedsystem in conjunction with an initialize lock command and an operatordevice private key, wherein in response to a received service request toinitialize an electromechanical lock controlled by a lock accesscontroller and comprised by a lockable compartment: the challenge codegenerator of the server based system encrypts the associated input codeand service mode token with the associated code derivation key of theelectromechanical lock of the initialize lock request generating achallenge code and secure service mode token and provides the challengecode and secure service token to the operator device; and a verificationcode generator of the of the lock access controller controlling thecontrollable electromechanical lock of the initialize lock requestencrypts the associated input code and service mode token with theassociated code derivation key of the electromechanical lock of theinitialize lock request to create a verification code and a secureservice mode token, receives from the operator device the providedchallenge code and provided secure service mode token and if theverification code equals the provided challenge code and the secureservice mode token equals the provided secure service mode token, thenthe controllable electromechanical lock of the initialize lock requestis initialized, wherein: the verification code generator of the lockaccess controller controlling the controllable electromechanical lock ofthe lockable compartment of the initialize request and or the operatordevice generate and encrypt a random lock code derivation key componentand a random lock input code component using the system based serverpublic key and provides the encrypted lock code derivation key componentand the encrypted lock input code component to the challenge codegenerator of the server based system; the challenge code generator ofthe system server based system generates and encrypts a random systemcode derivation key component and a random system input code componentusing the operator device public key and provides the encrypted systemcode derivation key component and the encrypted system input codecomponent to the operator device; the operator device decrypts theencrypted system code derivation key component and the encrypted systeminput code component using the operator device private key and providesthe decrypted system code derivation key component and the decryptedsystem input code component to the verification code generator of thelock access controller controlling the controllable electromechanicallock of the lockable compartment of the initialize request, which arecombined with the lock code derivation key component and the lock inputcode component to create the new code derivation key component and thenew input code associated with the controllable electromechanical lockof the lockable compartment of the initialize request and comprised bythe verification code generator of the lock access controllercontrolling the controllable electromechanical lock of the lockablecompartment of the initialize request; and the challenge code generatordecrypts the encrypted lock code derivation key component and theencrypted lock input code component using the system private key and thedecrypted lock code derivation key component and the decrypted lockinput code component are combined with system code derivation keycomponent and the system input code component to create the new codederivation key component and the new input code associated with thecontrollable electromechanical lock of the lockable compartment of theinitialize request and comprised by the challenge code generator of thesystem based server.
 18. The secure storage system of claim 17, whereinthe lock access controller controlling the controllableelectromechanical lock of the initialize lock request is not initializedif the verification code does not equal the provided challenge codeand/or the encrypted service mode token does not equal the providedencrypted service mode token.
 19. The secure storage system of claim 17,wherein the plurality of service mode tokens comprised by the challengecode generator of the server based system are sequence numbers and asequence number is incremented when a challenge code is generated for acontrollable electromechanical lock associated therewith.
 20. The securestorage system of claim 17, wherein the at least one service mode tokencomprised by each of the one or more lock access controllers aresequence numbers and a sequence number is incremented when averification code is generated for a controllable electromechanical lockassociated therewith.